Download the PHP package flowpack/content-security-policy without Composer

On this page you can find all versions of the php package flowpack/content-security-policy. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package content-security-policy

Flowpack.ContentSecurityPolicy

Introduction

Flow/Neos package to set your site's content security policy header easily with yaml.

Usage

Import the package using composer:

The package is automatically active once imported. By default, the response header Content-Security-Policy will now be included.

It will use the default configuration which looks like this:

Now only resources from the same origin are allowed for the most common directives. It is enabled by default and the report-only mode is disabled.

Custom directives and values

If you want to override the default config don't forget to add this package as a dependency in the composer.json file of your package. Otherwise, it might not work because of the loading order of the packages.

The default configuration will probably not suit your needs so you can add your own configuration by adding the array custom like this in your own yaml configuration files:

If you fully want to override the entire default config then just override the default key in yaml.

Show CSP configuration

To show the parsed configuration, the built-in command ./flow cspconfig:show can be used. It shows all directives used by the frontend and the backend.

Disable or report only

To disable the header simply set enabled to false. If you want to add it as a report only header set report-only to true. That way you have the option to see the possible errors without breaking functionality.

Nonce

You might want to use a nonce to allow inline scripts and styles to be still secure. To do this simply add {nonce} as an option in a directive. Like this:

Now the header will include a nonce-automatedgeneratedrandomstring in the script-src directive. So inline scripts without the corresponding nonce will be blocked.

The nonce will be automatically added to all your script/style tags.

Backend

Due to the current nature of the Neos backend being rendered a bit different then the frontend a separate policy is added for the backend. I currently have found no suitable way the add the nonce in the inline scripts in the Neos UI package. So the CSP for the backend looks like this:

Unsafe inline scripts and styles are allowed in the backend because otherwise the backend won't work.

Again you can add your own policies in the custom-backend array the same way as the custom array for the frontend.

Thank you

This package originates from https://github.com/LarsNieuwenhuizen/Nieuwenhuizen.ContentSecurityPolicy.

Thank you Lars Nieuwenhuizen for your work.


All versions of content-security-policy with dependencies

PHP Build Version
Package Version
Requires php Version ^8.1
neos/flow Version ^8.3
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package flowpack/content-security-policy contains the following files

Loading the files please wait ....