zae/content-security-policy

A really easy way to build CSP headers and add them to the response.

2.5.0 2020-09-21 15:53 UTC

This package is auto-updated.

Last update: 2024-10-22 01:05:28 UTC


README

Latest Version on Packagist Software License Total Downloads codecov

A really easy way to build CSP headers and add them to the response.

Officially supported platforms:

  • Laravel: ^5.8
  • Craft: ^3.0

Install

Via Composer

$ composer require zae/content-security-policy

Laravel

Middleware

Add the middleware to the middleware Kernel.

protected $middlewareGroups = [
    'web' => [
        ...
        \Zae\ContentSecurityPolicy\Laravel\Http\Middleware\ContentSecurityPolicy::class
    ],
]

Config (config/csp.php)

return [
	BlockAllMixedContent::class,
    Sandbox::class => [
        Sandbox::ALLOW_FORMS,
        Sandbox::ALLOW_SCRIPTS,
        Sandbox::ALLOW_TOP_NAVIGATION,
        Sandbox::ALLOW_SAME_ORIGIN,
        Sandbox::ALLOW_POPUPS,
    ]
];

Craft 3

The library includes a module for Craft 3 that can send the CSP header and a twig function to get the current CSP nonce.

Register the module like this:

'modules' => [
    'csp' => \Zae\ContentSecurityPolicy\Craft\Module::class,
],
'bootstrap' => [
    'csp'
]

Use the twig functions like this:

<script nonce="{{ cspnonce() }}">
    // inline javascript
</script>

Config (config/csp.php)

return [
    'components' => [
        'builder' => Builder::class,
    ],
    'params' => [
        BlockAllMixedContent::class,
        Sandbox::class => [
            Sandbox::ALLOW_FORMS,
            Sandbox::ALLOW_SCRIPTS,
            Sandbox::ALLOW_TOP_NAVIGATION,
            Sandbox::ALLOW_SAME_ORIGIN,
            Sandbox::ALLOW_POPUPS,
        ]
    ]
];

Other

Although not officially supported yet, it's possible to use this library with other frameworks, an easy method is by using FluidDirectivesFactory.

Fluid Factory

<?php
$csp = new CSP();
$factory = new FluidDirectivesFactory($csp);
$factory
    ->blockAllMixedContent()
    ->defaultSrc([
        Directive::SELF,
        'https:'
    ])
    ->baseUri([
        Directive::SELF
    ]);

Change log

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email ezra@tsdme.nl instead of using the issue tracker.

Credits

License

The MIT License (MIT). Please see License File for more information.