1. Go to this page and download the library: Download codicastudio/csp library. Choose the download type require.
2. Extract the ZIP file and open the index.php.
3. Add this code to the index.php.
<?php
require_once('vendor/autoload.php');
/* Start to develop here. Best regards https://php-download.com/ */
codicastudio / csp example snippets
return [
/*
* A policy will determine which CSP headers will be set. A valid CSP policy is
* any class that extends `codicastudio\csp\Policies\Policy`
*/
'policy' => codicastudio\csp\Policies\Basic::class,
/*
* This policy which will be put in report only mode. This is great for testing out
* a new policy or changes to existing csp policy without breaking anything.
*/
'report_only_policy' => '',
/*
* All violations against the policy will be reported to this url.
* A great service you could use for this is https://report-uri.com/
*
* You can override this setting by calling `reportTo` on your policy.
*/
'report_uri' => env('CSP_REPORT_URI', ''),
/*
* Headers will only be added if this setting is set to true.
*/
'enabled' => env('CSP_ENABLED', true),
/*
* The class responsible for generating the nonces used in inline tags and headers.
*/
'nonce_generator' => codicastudio\csp\Nonce\RandomString::class,
];
// in a routes file
Route::get('my-page', 'MyController')->middleware(codicastudio\csp\AddcspHeaders::class);
// in a routes file
Route::get('my-page', 'MyController')->middleware(codicastudio\csp\AddcspHeaders::class . ':' . MyPolicy::class);
// in a policy
...
->addDirective(Directive::SCRIPT, Keyword::SELF) // will output `'self'` when outputting headers
->addDirective(Directive::STYLE, 'sha256-hash') // will output `'sha256-hash'` when outputting headers
...
// in a policy
...
->addDirective(Directive::SCRIPT, [
Keyword::STRICT_DYNAMIC,
Keyword::SELF,
'www.google.com',
])
->addDirective(Directive::SCRIPT, 'strict-dynamic self www.google.com')
// will both output `'strict_dynamic' 'self' www.google.com` when outputting headers
...
// in a policy
...
->addDirective(Directive::UPGRADE_INSECURE_REQUESTS, Value::NO_VALUE)
->addDirective(Directive::BLOCK_ALL_MIXED_CONTENT, Value::NO_VALUE);
...
namespace codicastudio\csp\Policies;
use codicastudio\csp\Directive;
use codicastudio\csp\Value;
class Basic extends Policy
{
public function configure()
{
$this
->addDirective(Directive::BASE, Keyword::SELF)
->addDirective(Directive::CONNECT, Keyword::SELF)
->addDirective(Directive::DEFAULT, Keyword::SELF)
->addDirective(Directive::FORM_ACTION, Keyword::SELF)
->addDirective(Directive::IMG, Keyword::SELF)
->addDirective(Directive::MEDIA, Keyword::SELF)
->addDirective(Directive::OBJECT, Keyword::NONE)
->addDirective(Directive::SCRIPT, Keyword::SELF)
->addDirective(Directive::STYLE, Keyword::SELF)
->addNonceForDirective(Directive::SCRIPT)
->addNonceForDirective(Directive::STYLE);
}
}
namespace App\Services\csp\Policies;
use codicastudio\csp\Directive;
use codicastudio\csp\Policies\Basic;
class MyCustomPolicy extends Basic
{
public function configure()
{
parent::configure();
$this->addDirective(Directive::SCRIPT, 'www.google.com');
}
}
// in a policy
public function configure()
{
$this
->addDirective(Directive::SCRIPT, 'self')
->addDirective(Directive::STYLE, 'self')
->addNonceForDirective(Directive::SCRIPT)
->addNonceForDirective(Directive::STYLE)
...
}
public function configure()
{
parent::configure();
$this->reportOnly();
}
$this->container->singleton(AppPolicy::class, function ($app) {
return new AppPolicy();
});
app(AppPolicy::class)->addDirective(Directive::SCRIPT, Keyword::UNSAFE_INLINE);
app(AppPolicy::class)->addDirective(Directive::STYLE, Keyword::UNSAFE_INLINE);