A really easy way to build CSP headers and add them to the response.
Officially supported platforms:
- Laravel: ^5.8
- Craft: ^3.0
Via Composer
$ composer require zae/content-security-policyAdd the middleware to the middleware Kernel.
protected $middlewareGroups = [
'web' => [
...
\Zae\ContentSecurityPolicy\Laravel\Http\Middleware\ContentSecurityPolicy::class
],
]return [
BlockAllMixedContent::class,
Sandbox::class => [
Sandbox::ALLOW_FORMS,
Sandbox::ALLOW_SCRIPTS,
Sandbox::ALLOW_TOP_NAVIGATION,
Sandbox::ALLOW_SAME_ORIGIN,
Sandbox::ALLOW_POPUPS,
]
];The library includes a module for Craft 3 that can send the CSP header and a twig function to get the current CSP nonce.
Register the module like this:
'modules' => [
'csp' => \Zae\ContentSecurityPolicy\Craft\Module::class,
],
'bootstrap' => [
'csp'
]Use the twig functions like this:
<script nonce="{{ cspnonce() }}">
// inline javascript
</script>return [
'components' => [
'builder' => Builder::class,
],
'params' => [
BlockAllMixedContent::class,
Sandbox::class => [
Sandbox::ALLOW_FORMS,
Sandbox::ALLOW_SCRIPTS,
Sandbox::ALLOW_TOP_NAVIGATION,
Sandbox::ALLOW_SAME_ORIGIN,
Sandbox::ALLOW_POPUPS,
]
]
];Although not officially supported yet, it's possible to use this library with other frameworks, an easy method is by using FluidDirectivesFactory.
<?php
$csp = new CSP();
$factory = new FluidDirectivesFactory($csp);
$factory
->blockAllMixedContent()
->defaultSrc([
Directive::SELF,
'https:'
])
->baseUri([
Directive::SELF
]);Please see CHANGELOG for more information on what has changed recently.
Please see CONTRIBUTING for details.
If you discover any security related issues, please email ezra@tsdme.nl instead of using the issue tracker.
The MIT License (MIT). Please see License File for more information.