mvccore/ext-tool-csp

MvcCore - Extension - Tool - Csp - utility to easilly complete `Content-Security-Policy` HTTP header.

v5.3.0 2024-11-21 15:01 UTC

This package is auto-updated.

Last update: 2024-11-21 16:01:07 UTC


README

Latest Stable Version License PHP Version

Installation

composer require mvccore/ext-tool-csp

Features

Extension to easilly complete Content-Security-Policy HTTP header.
Read more info here:

Usage

<?php

include_once('vendor/autoload.php');

use \MvcCore\Ext\Tools\Csp;

$csp = Csp::GetInstance()
	->Disallow(
		Csp::FETCH_DEFAULT_SRC | 
		Csp::FETCH_OBJECT_SRC
	)
	->AllowSelf(
		Csp::FETCH_SCRIPT_SRC | 
		Csp::FETCH_STYLE_SRC | 
		Csp::FETCH_IMG_SRC |
		Csp::FETCH_FONT_SRC |
		Csp::FETCH_MEDIA_SRC |
		Csp::FETCH_CONNECT_SRC |
		Csp::FETCH_FRAME_SRC
	)
	->AllowHosts(
		Csp::FETCH_SCRIPT_SRC | Csp::FETCH_CONNECT_SRC, [
			'https://some.tracking-counter-1.com/',
		]
	)
	->AllowHosts(
		Csp::FETCH_SCRIPT_SRC, [
			'https://cdnjs.com/',
			'https://code.jquery.com/',
		]
	)
	->AllowHosts(
		Csp::FETCH_IMG_SRC, [
			'data:',
		]
	)
	->AllowNonce(Csp::FETCH_SCRIPT_SRC)
	->AllowGoogleMaps();
	
header($csp->GetHeader());
	
?><!DOCTYPE HTML>
<html lang="en-US">
	<head>
		<meta charset="UTF-8">
		<title>CSP</title>
	</head>
	<body>
		<script nonce="<?=$csp->GetNonce()?>" type="text/javascript">
			document.write("Safe working javascript code.");
		</script>
		<hr />
		<script type="text/javascript">
			document.write("Dangerous not working javascript code.");
		</script>
	</body>
</html>