eugene-manuilov/phalcon-csp

This package is abandoned and no longer maintained. No replacement package was suggested.

Content Security Policy plugin for PhalconPHP framework.

Maintainers

Details

github.com/eugene-manuilov/phalcon-csp

Source

Issues

Installs: 4 762

Dependents: 0

Suggesters: 0

Security: 0

Stars: 4

Watchers: 2

Forks: 0

Open Issues: 1

1.0.1 2016-08-24 21:47 UTC

Requires (Dev)

MIT 1085efba0e59c389b5844bba5366a7e03c46a826

  • Eugene Manuilov <eugene.manuilov.woop@gmail.com>

phpresponsedispatcherxssphalconcontent security policyX-Frame-OptionsX-XSS-Protectionphalconphp

This package is not auto-updated.

Last update: 2020-01-22 06:13:36 UTC

README

This plugin allows you to add CSP policies to your Phalcon based website. Content Security Policy (CSP) is a security standard to prevent cross-site scripting (XSS), clickjacking and other code injection attacks. Take a look at An Introduction to Content Security Policy article for more details.

Installation

Just use composer to install it:

$ composer require eugene-manuilov/phalcon-csp

Usage

To use CSP plugin in your site you just need to add it to the dependency injection container and register it as event listener for dispatcher events.

<?php

use Phalcon\Plugin\CSP\ContentSecurityPolicy;

// register CSP service
$di->set( 'csp', function() {
    $csp = new ContentSecurityPolicy();
	return $csp;
}, true );

// register application and add CSP to event manager
try {
    $csp = $di->getShared( 'csp' );

    $eventsManager = new \Phalcon\Events\Manager();
    $eventsManager->attach( 'application:beforeSendResponse', $csp );

    $application = new Application($di);
    $application->setEventsManager( $eventsManager );

    $response = $application->handle();
    $response->send();
} catch (\Exception $e) {
    echo $e->getMessage();
}

Now all your policies will be compiled into Content-Security-Policy header and added to the response instance. To add a new policy you need to call addPolicy() function which accepts policy name and a value:

<?php

use Phalcon\Plugin\CSP\ContentSecurityPolicy as CSP;

class IndexController extends \Phalcon\Mvc\Controller {

    public function indexAction() {
        // whitelist Google fonts origin
        $this->csp->addPolicy( CSP::DIRECTIVE_FONT_SRC, 'https://fonts.gstatic.com' );
    }

}

If you want to specify report URL which will be used to report all violations, then you need to call setReportURI() function.

$di->set( 'csp', function() {
    $csp = new ContentSecurityPolicy();
    $csp->setReportURI( '/path/to/report/endpoint' );

	return $csp;
}, true );

Using Content Security Policy header you can also tell browsers that you want to upgrade all insecure requests to use its secure versions. To do it you need to use setUpgradeInsecureRequests() function.

$di->set( 'csp', function() {
    $csp = new ContentSecurityPolicy();
    $csp->setUpgradeInsecureRequests();

	return $csp;
}, true );

Assets Manager

This plugin also provides assets manager class which extends standard assets manager class and automatically gathers origins of scripts and styles added with it. It also generates nonces for inline scripts and styles.

<?php

$di->set( 'assets', function() {
    $manager = new \Phalcon\Plugin\CSP\Assets\Manager();

	return $manager;
}, true );

Later on you can use it as standard assets manager class to add you scripts and styles files as well as inline blocks.