Download the PHP package stevenmaguire/middleware-csp without Composer
On this page you can find all versions of the php package stevenmaguire/middleware-csp. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download stevenmaguire/middleware-csp
More information about stevenmaguire/middleware-csp
Files in stevenmaguire/middleware-csp
Package middleware-csp
Short Description Provides support for enforcing Content Security Policy with headers in PSR 7 responses.
License MIT
Homepage https://github.com/stevenmaguire/middleware-csp-php
Informations about the package middleware-csp
Content Security Policy Middleware
Provides support for enforcing Content Security Policy with headers in PSR 7 responses.
About CSP (Content Security Policy)
The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header. - via content-security-policy.com
TL;DR from Google
- Use whitelists to tell the client what's alowed and what isn't.
- Learn what directives are available.
- Learn the keywords they take.
- Inline code and eval() are considered harmful.
- Report policy violations to your server before enforcing them.
Install
Via Composer
Usage
Frameworks and routing layer projects may implement middleware differently. This package is designed to aid in the implementation of CSP for many of those variations provided the middleware pattern expects to provide a Psr\Http\Message\ResponseInterface
and receive an updated Psr\Http\Message\ResponseInterface
in return.
Generic Example
In this example $profiles
is an array of middleware-csp-php
specific configuration that directs the package on how to decorate the response.
Here is an example of configuration for two profiles.
Framework Specific Implementations
Defining a CPS
You should try to keep your Content Security Policy as strict as possible. It is best to not allow inline scripts and only files from a trusted source. Only add sources that you activly use and not those that you might use in the future.
CSP 1.0 Spec
Directive | Description |
---|---|
connect-src (d) |
restricts which URLs the protected resource can load using script interfaces. (e.g. send() method of an XMLHttpRequest object) |
font-src (d) |
restricts from where the protected resource can load fonts |
img-src (d) |
restricts from where the protected resource can load images |
media-src (d) |
restricts from where the protected resource can load video, audio, and associated text tracks |
object-src (d) |
restricts from where the protected resource can load plugins |
script-src (d) |
restricts which scripts the protected resource can execute. Additional restrictions against, inline scripts, and eval. Additional directives in CSP2 for hash and nonce support |
style-src (d) |
restricts which styles the user may applies to the protected resource. Additional restrictions against inline and eval. |
default-src |
Covers any directive with (d) |
frame-src |
restricts from where the protected resource can embed frames. Note, deprecated in CSP2 |
report-uri |
specifies a URL to which the user agent sends reports about policy violation |
sandbox |
specifies an HTML sandbox policy that the user agent applies to the protected resource. Optional in 1.0 |
New in CSP 2.0
Directive | Description |
---|---|
form-action |
retricts which URLs can be used as the action of HTML form elements |
frame-ancestors |
indicates whether the user agent should allow embedding the resource using a frame, iframe, object, embed or applet element, or equivalent functionality in non-HTML resources |
plugin-types |
restricts the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded |
base-uri |
restricts the URLs that can be used to specify the document base URL |
child-src (d) |
governs the creation of nested browsing contexts as well as Worker execution contexts |
Browser Support
This is a high level summary of browser support for CSP. For more detailed specifications review Mozilla or caniuse
Browser | CSP 1.0 | CSP 2.0 |
---|---|---|
Chrome | ||
Firefox | ||
Internet Explorer | ||
Edge | ||
Opera | ||
Safari |
Testing
Contributing
Please see CONTRIBUTING for details.
Credits
License
The MIT License (MIT). Please see License File for more information.