Download the PHP package opctim/symfony-csp-bundle without Composer

On this page you can find all versions of the php package opctim/symfony-csp-bundle. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package symfony-csp-bundle

Symfony CSP Bundle

Latest Stable Version Total Downloads Latest Unstable Version License PHP Version Require

Ever fought with CSP headers? Me too. It always used to be a pain to configure CSP headers properly.

But setting CSP header directives is more important than ever! If you ever came across different tracking scripts, you probably also noticed how many additional fourth-party scripts are lazy loaded. This could lead to malicious JavaScript being loaded to your page, which could be catastrophic, especially when building payment gateways.

It even helps you with adding dynamic Nonce-Tokens when not using the unsafe-inline directive (which you should avoid)

Requirements

Installation

Configuration

In your config/ directory, add / edit opctim_csp_bundle.yaml:

You can use any directives you want here! This is just a fancy way of writing the directives.

So:

becomes

The always_add option

As the name implies, this option adds the specified origins to all directives. This can be useful with when@dev:

Important: If you add 'none' as the first and only directive, this directive will be skipped for the always_add functionality. This feature was added in 1.1.4

You also can use when@dev to add origins to specific directives conditionally:

The report option

This bundle provides you with an easy way to configure the report feature of CSP, which tells browsers to tell your backend if your CSP configuration denies specific resources. There are currently two implementations in browsers - report-uri & report-to:

So, according to the MDN docs, this bundle adds the report-uri directive & the Reporting-Endpoint header to support new Browsers in the future.

This bundle provides a backwards compatible implementation, which should be supported by all browsers.

Here is some pseudocode explaining the change option:

This means, that for a chance of 100%, it will run every time. Depending on traffic of your app, it is recommended to set a chance of around 5-10%, to not get flooded by CSP log messages.

Dynamic nonce tokens

Dynamic nonce tokens can be extremely useful, to allow specific inline script tags in your Twig templates, without having to ignore security concerns, e.g. by not adding or hard-coding them ;)

Configuration syntax

Example

In opctim_csp_bundle.yaml:

On request, nonce(my-inline-script) will be transformed to e.g. nonce-25d2ec8bb6 and will later appear in the response CSP header.

Then, in your twig template you can simply use the csp_nonce('my-inline-script') function that is provided by this bundle:

The rendered result:

Hooking into the CSP header generation

A key feature of this bundle is the dynamic nonce implementation. The bundle hooks into the Symfony event system and generates fresh nonce tokens for you - on every request!

On request, the bundle prepares the CSP header directives to be written to headers on response. Here, the nonce() expressions from opctim_csp_bundle.yaml are parsed.

The bundle will add this value to the Response in the following three headers for compatibility across browsers:

If you want to modify the CSP header before it is written to the response, you can hook into the generation by subscribing to the opctim_csp_bundle.add_csp_header event:

Tests

Tests are located inside the tests/ folder and can be run with vendor/bin/phpunit:


All versions of symfony-csp-bundle with dependencies

PHP Build Version
Package Version
Requires php Version >=7.4.33
ext-openssl Version *
symfony/framework-bundle Version ^5.4 || ^6.4 || ^7.0
symfony/event-dispatcher Version ^5.4 || ^6.4 || ^7.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package opctim/symfony-csp-bundle contains the following files

Loading the files please wait ....