stevenmaguire / middleware-csp
Provides support for enforcing Content Security Policy with headers in PSR 7 responses.
Installs: 145 169
Dependents: 1
Suggesters: 0
Security: 0
Stars: 8
Watchers: 2
Forks: 2
Open Issues: 0
Requires
- php: >=5.4.0
- psr/http-message: ^1.0
Requires (Dev)
- mockery/mockery: 0.9.*@dev
- phpunit/phpunit: 3.7.*
- squizlabs/php_codesniffer: ~2.0
This package is auto-updated.
Last update: 2024-10-14 11:29:59 UTC
README
Provides support for enforcing Content Security Policy with headers in PSR 7 responses.
About CSP (Content Security Policy)
The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header. - via content-security-policy.com
TL;DR from Google
- Use whitelists to tell the client what's alowed and what isn't.
- Learn what directives are available.
- Learn the keywords they take.
- Inline code and eval() are considered harmful.
- Report policy violations to your server before enforcing them.
Install
Via Composer
$ composer require stevenmaguire/middleware-csp
Usage
Frameworks and routing layer projects may implement middleware differently. This package is designed to aid in the implementation of CSP for many of those variations provided the middleware pattern expects to provide a Psr\Http\Message\ResponseInterface
and receive an updated Psr\Http\Message\ResponseInterface
in return.
Generic Example
<?php namespace Stevenmaguire\Http\Middleware\Test; use Psr\Http\Message\ResponseInterface; use Stevenmaguire\Http\Middleware\EnforceContentSecurity; class GenericMiddleware extends EnforceContentSecurity { /** * Applies content security policy to given response. * * @param ResponseInterface $response * @param array $profiles * * @return ResponseInterface */ public function handle(ResponseInterface $response, $profiles = []) { array_map(function ($profile) { $this->loadProfileByKey($profile); }, $profiles); return $this->addPolicyHeader($response); } /** * Adds profile configuration to underlying middleware. * * @param array $profileConfig * * @return EnforceContentSecurity */ public function addProfileConfiguration($profileConfig = []) { return $this->setProfiles($profileConfig); } /** * Encodes a given configuration into formatted directive string. * * @param array $config * * @return string */ public function getEncodedConfiguration($config = []) { return $this->encodeConfiguration($config); } }
In this example $profiles
is an array of middleware-csp-php
specific configuration that directs the package on how to decorate the response.
Here is an example of configuration for two profiles.
// within config/security.php return [ 'content' => [ 'default' => 'global', 'profiles' => [ 'global' => [ 'base-uri' => "'self'", 'default-src' => "'self'", 'font-src' => [ // e.g. only allows fonts from your server and fonts.gstatic.com "'self'", 'fonts.gstatic.com' ], 'img-src' => "'self'", 'script-src' => "'self'", 'style-src' => [ "'self'", "'unsafe-inline'", 'fonts.googleapis.com' ], ], 'flickr' => [ 'img-src' => [ 'https://*.staticflickr.com', ], ], ], ], ];
Framework Specific Implementations
Defining a CPS
You should try to keep your Content Security Policy as strict as possible. It is best to not allow inline scripts and only files from a trusted source. Only add sources that you activly use and not those that you might use in the future.
CSP 1.0 Spec
New in CSP 2.0
Browser Support
This is a high level summary of browser support for CSP. For more detailed specifications review Mozilla or caniuse
Testing
$ ./vendor/bin/phpunit
Contributing
Please see CONTRIBUTING for details.
Credits
License
The MIT License (MIT). Please see License File for more information.