zae / content-security-policy
A really easy way to build CSP headers and add them to the response.
Installs: 6 765
Dependents: 0
Suggesters: 1
Security: 0
Stars: 0
Watchers: 2
Forks: 1
Open Issues: 1
Requires
- php: >= 7.2
Requires (Dev)
- craftcms/cms: ^3.0
- illuminate/http: ^5.0 | ^6.0
- illuminate/support: ^5.0 | ^6.0
- orchestra/testbench: ^4.4
- twig/twig: ^2.7
Suggests
- craftcms/craft: The included twig extension requires at least craft 3.0
- illuminate/http: The included laravel extension requires at least laravel http 5.0 or the complete framework
- illuminate/support: The included laravel/craft extension requires at least laravel support 5.0 or the complete framework
- twig/twig: The included twig extension requires at least twig 2.7
- zae/csp-reporting: Library to store the csp policy violations
- zae/strict-transport-security: Add HSTS header to your responses
This package is auto-updated.
Last update: 2024-12-22 01:39:55 UTC
README
A really easy way to build CSP headers and add them to the response.
Officially supported platforms:
- Laravel: ^5.8
- Craft: ^3.0
Install
Via Composer
$ composer require zae/content-security-policy
Laravel
Middleware
Add the middleware to the middleware Kernel.
protected $middlewareGroups = [ 'web' => [ ... \Zae\ContentSecurityPolicy\Laravel\Http\Middleware\ContentSecurityPolicy::class ], ]
Config (config/csp.php)
return [ BlockAllMixedContent::class, Sandbox::class => [ Sandbox::ALLOW_FORMS, Sandbox::ALLOW_SCRIPTS, Sandbox::ALLOW_TOP_NAVIGATION, Sandbox::ALLOW_SAME_ORIGIN, Sandbox::ALLOW_POPUPS, ] ];
Craft 3
The library includes a module for Craft 3 that can send the CSP header and a twig function to get the current CSP nonce.
Register the module like this:
'modules' => [ 'csp' => \Zae\ContentSecurityPolicy\Craft\Module::class, ], 'bootstrap' => [ 'csp' ]
Use the twig functions like this:
<script nonce="{{ cspnonce() }}"> // inline javascript </script>
Config (config/csp.php)
return [ 'components' => [ 'builder' => Builder::class, ], 'params' => [ BlockAllMixedContent::class, Sandbox::class => [ Sandbox::ALLOW_FORMS, Sandbox::ALLOW_SCRIPTS, Sandbox::ALLOW_TOP_NAVIGATION, Sandbox::ALLOW_SAME_ORIGIN, Sandbox::ALLOW_POPUPS, ] ] ];
Other
Although not officially supported yet, it's possible to use this library with other frameworks, an easy method is by using FluidDirectivesFactory.
Fluid Factory
<?php $csp = new CSP(); $factory = new FluidDirectivesFactory($csp); $factory ->blockAllMixedContent() ->defaultSrc([ Directive::SELF, 'https:' ]) ->baseUri([ Directive::SELF ]);
Change log
Please see CHANGELOG for more information on what has changed recently.
Contributing
Please see CONTRIBUTING for details.
Security
If you discover any security related issues, please email ezra@tsdme.nl instead of using the issue tracker.
Credits
License
The MIT License (MIT). Please see License File for more information.