Download the PHP package stevenmaguire/middleware-csp without Composer

On this page you can find all versions of the php package stevenmaguire/middleware-csp. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Example code of stevenmaguire/middleware-csp

Informations about the package middleware-csp

Content Security Policy Middleware

Latest Version Build Status Coverage Status Quality Score Total Downloads

Provides support for enforcing Content Security Policy with headers in PSR 7 responses.

About CSP (Content Security Policy)

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header. - via content-security-policy.com

TL;DR from Google

Install

Via Composer

Usage

Frameworks and routing layer projects may implement middleware differently. This package is designed to aid in the implementation of CSP for many of those variations provided the middleware pattern expects to provide a Psr\Http\Message\ResponseInterface and receive an updated Psr\Http\Message\ResponseInterface in return.

Generic Example

In this example $profiles is an array of middleware-csp-php specific configuration that directs the package on how to decorate the response.

Here is an example of configuration for two profiles.

Framework Specific Implementations

Defining a CPS

You should try to keep your Content Security Policy as strict as possible. It is best to not allow inline scripts and only files from a trusted source. Only add sources that you activly use and not those that you might use in the future.

CSP 1.0 Spec

Directive Description
connect-src (d) restricts which URLs the protected resource can load using script interfaces. (e.g. send() method of an XMLHttpRequest object)
font-src (d) restricts from where the protected resource can load fonts
img-src (d) restricts from where the protected resource can load images
media-src (d) restricts from where the protected resource can load video, audio, and associated text tracks
object-src (d) restricts from where the protected resource can load plugins
script-src (d) restricts which scripts the protected resource can execute. Additional restrictions against, inline scripts, and eval. Additional directives in CSP2 for hash and nonce support
style-src (d) restricts which styles the user may applies to the protected resource. Additional restrictions against inline and eval.
default-src Covers any directive with (d)
frame-src restricts from where the protected resource can embed frames. Note, deprecated in CSP2
report-uri specifies a URL to which the user agent sends reports about policy violation
sandbox specifies an HTML sandbox policy that the user agent applies to the protected resource. Optional in 1.0

New in CSP 2.0

Directive Description
form-action retricts which URLs can be used as the action of HTML form elements
frame-ancestors indicates whether the user agent should allow embedding the resource using a frame, iframe, object, embed or applet element, or equivalent functionality in non-HTML resources
plugin-types restricts the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded
base-uri restricts the URLs that can be used to specify the document base URL
child-src (d) governs the creation of nested browsing contexts as well as Worker execution contexts

Browser Support

This is a high level summary of browser support for CSP. For more detailed specifications review Mozilla or caniuse

Browser CSP 1.0 CSP 2.0
Chrome
Firefox
Internet Explorer
Edge
Opera
Safari

Testing

Contributing

Please see CONTRIBUTING for details.

Credits

License

The MIT License (MIT). Please see License File for more information.

All versions of middleware-csp with dependencies

PHP Build Version
Package Version
Requires php Version >=5.4.0
psr/http-message Version ^1.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package stevenmaguire/middleware-csp contains the following files

Loading the files please wait ....