assayer-pro/yii2-cspreport

Yii2 Module for Content Security Policy Report

Installs: 4 367

Dependents: 0

Suggesters: 0

Security: 0

Stars: 2

Watchers: 2

Forks: 0

Open Issues: 0

Type:yii2-extension

1.0.1 2016-02-20 15:43 UTC

This package is auto-updated.

Last update: 2024-12-14 05:36:27 UTC


README

yii2 Module for Content Security Policy Report

Installation

The preferred way to install this extension is through composer.

  • Either run
php composer.phar require --prefer-dist "assayer-pro/yii2-cspreport" "*"

or add

"assayer-pro/yii2-cspreport" : "*"

to the require section of your application's composer.json file.

Usage

  • Add a new module in modules section of your application's configuration file, for example:
    'modules' => [
        'csp-report' => [
            'class' => 'assayerpro\cspreport\Module',
            'message' => [
                'from' => 'admin@example.com',
                'to' => 'developer@example.com',
                'subject' => 'Content Security Policy Report',
            ],
        ],
    ],
  • Add a new rule for urlManager of your application's configuration file, for example:
    'components' => [
    ...
        'urlManager' => [
            'rules' => [
                'csp-report' => 'csp-report/report/index',
            ],
        ],
    ...
    ],
  • Add application/csp-report parser:
    'components' => [
    ...
        'request' => [
            'parsers' => [
                'application/csp-report' => 'yii\web\JsonParser',
            ],
        ],
    ...
    ],
  • Apache Content-Security-Policy Header

Add the following to your httpd.conf in your VirtualHost or in an .htaccess file:

Header set Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report;"
  • Nginx Content-Security-Policy Header

In your server {} block add:

   add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";

You can also append always to the end to ensure that nginx sends the header reguardless of response code.