zae / csp-reporting
CSP Reporting
Installs: 1 938
Dependents: 0
Suggesters: 1
Security: 0
Stars: 2
Watchers: 4
Forks: 1
Open Issues: 1
Requires
- php: >= 8.0
- ext-json: *
- nyholm/psr7: ^1.2
- psr/log: ^1.0 || ^2.0 || ^3.0
- symfony/psr-http-message-bridge: ^2.0
Requires (Dev)
- bugsnag/bugsnag: ^3.0
- craftcms/cms: ^3.0
- illuminate/cache: ^8.0 || ^9.0 || ^10.0
- illuminate/http: ^8.0 || ^9.0 || ^10.0
- infection/infection: >= 0.17
- mockery/mockery: ^1.3
- orchestra/testbench: ^6.0 || ^7.0 || ^8.0
- phpunit/phpunit: ^8.3 || ^9.0
- vimeo/psalm: ^5.0
Suggests
- bugsnag/bugsnag: If you want to use the BugsnagPersister
- illuminate/cache: If you want to use the CacheRateLimiter
- zae/content-security-policy: Add CSP headers to your responses
- zae/strict-transport-security: Add HSTS header to your responses
README
Catch the policy violations your users generate and store them somewhere
Install
Via Composer
$ composer require zae/csp-reporting
Usage
Configure your csp reports to go to /csp-report
.
Laravel
Publish the config file using artisan vendor:publish
#config/csp-report.php return [ 'persist' => [ 'class' => LogCspPersister::class, 'properties' => [ 'loglevel' => Psr\Log\LogLevel::INFO ] ], 'limiter' => [ 'class' => CspCacheLimiter::class, 'properties' => [ 'key' => 'csp-rate-limiter', 'maxAttempts' => 1, 'decay' => 60 ] ], ];
By default the plugin will store the violations in the log, but there is also a BugsnagPersister
that
will send the violation to bugsnag.
Craft 3
Configure your application to use the Module with the right limiter and persister.
use Zae\ContentSecurityPolicyReporting\Contracts\CspLimiter; use Zae\ContentSecurityPolicyReporting\Contracts\CspPersistable; use Zae\ContentSecurityPolicyReporting\Limiters\CspLotteryLimiter; use Zae\ContentSecurityPolicyReporting\Persisters\BugsnagCspPersister; return [ 'bootstrap' => [ 'csp-reporting' ], 'components' => [ 'csp-reporting' => [ 'class' => \Zae\ContentSecurityPolicyReporting\Craft\Module::class, 'components' => [ CspPersistable::class => static function () { return new BugsnagCspPersister( \Bugsnag\Client::make(getenv('BUGSNAG_API_KEY')) ); }, CspLimiter::class => static function () { return new CspLotteryLimiter(5); } ] ], ] ]
On high traffic sites the violations might occur often and probably they will all be the same, so the limiter will make sure only a part of the violations will actually be stored.
The properties array will allow you to configurate the handlers.
You can also provide your own classes as long as they implement the right interfaces.
Provided Limiters
CspCacheLimiter
CspLotteryLimiter
Provided Persisters
LogCspPersister
BugsnagCspPersister
Testing
$ composer run test
Contributing
Contributions are welcome via pull requests on github.
Credits
License
The MIT License (MIT). Please see License File for more information.