Download the PHP package nswdpc/silverstripe-csp without Composer

On this page you can find all versions of the php package nswdpc/silverstripe-csp. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package silverstripe-csp

Content Security Policy (CSP) module for Silverstripe websites

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

This module provides the ability to:

Once a CSP is in place and working, any assets loads that do not meet policy requirements will be blocked from loading, with warnings similar to this in the browser dev console:

Refused to load the script 'https://badactor.example.com/eval.js' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-example' https://cdnjs.cloudflare.com/".

Versioning

For Silverstripe 5.x, use version constraint ^1

For Silverstripe 4.x, use version constraint ^0.4.3

Installation

The only supported method of installing this module is via composer:

Instructions

:warning: An incorrectly implemented CSP can have negative effects for valid visitors to your website.

  1. Read the initial documentation
  2. Read the good-to-know section
  3. Install the module on a development instance of your website and configure it
  4. Add at least one Policy record in the "CSP" administration section.
    • Set it to 'report only'
    • Mark it as the 'base policy'
    • Optionally, make it available on your draft site only
  5. Set the policy to be delivered via a HTTP headers (you can use meta tags but this method limits the feature you can use).
  6. Add some Directives
  7. Mark the Policy 'Enabled', save it and
  8. Watch for violation reports or look at your browser dev console

When you are pleased with the settings, check the "Use on published website" setting and save.

After UAT is complete, implement the same process on your production website. You should run the policy as report-only and monitor reports, initially.

Page specific policies

By default Pages can define an extra Policy for delivery when requested with the following caveat:

Adding additional policies can only further restrict the capabilities of the protected resource

MDN provides some useful information on this process:

This means that you can't (currently) relax the base policy restrictions from within your page policy.

Using a nonce

See using a nonce

Good-to-know

See good-to-know

Violation Reports

See reporting

Minimum CSP Level

Refer to the following for changes between levels:

Additional Help

See further reading

Browser Compatibility

See browser support

Maintainers

Bugtracker

We welcome bug reports, pull requests and feature requests on the Github Issue tracker for this project.

Please review the code of conduct prior to opening a new issue.

Security

If you have found a security issue with this module, please email digital[@]dpc.nsw.gov.au in the first instance, detailing your findings.

Development and contribution

If you would like to make contributions to the module please ensure you raise a pull request and discuss with the module maintainers.

Please review the code of conduct prior to completing a pull request.

All versions of silverstripe-csp with dependencies

PHP Build Version
Package Version
Requires ext-xml Version *
silverstripe/cms Version ^5
symbiote/silverstripe-queuedjobs Version ^5
symbiote/silverstripe-multivaluefield Version ^6
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package nswdpc/silverstripe-csp contains the following files

Loading the files please wait ....