Download the PHP package zae/content-security-policy without Composer
On this page you can find all versions of the php package zae/content-security-policy. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download zae/content-security-policy
More information about zae/content-security-policy
Files in zae/content-security-policy
Package content-security-policy
Short Description A really easy way to build CSP headers and add them to the response.
License MIT
Informations about the package content-security-policy
Content Security Policy
A really easy way to build CSP headers and add them to the response.
Officially supported platforms:
- Laravel: ^5.8
- Craft: ^3.0
Install
Via Composer
Laravel
Middleware
Add the middleware to the middleware Kernel.
protected $middlewareGroups = [
'web' => [
...
\Zae\ContentSecurityPolicy\Laravel\Http\Middleware\ContentSecurityPolicy::class
],
]
Config (config/csp.php)
return [
BlockAllMixedContent::class,
Sandbox::class => [
Sandbox::ALLOW_FORMS,
Sandbox::ALLOW_SCRIPTS,
Sandbox::ALLOW_TOP_NAVIGATION,
Sandbox::ALLOW_SAME_ORIGIN,
Sandbox::ALLOW_POPUPS,
]
];
Craft 3
The library includes a module for Craft 3 that can send the CSP header and a twig function to get the current CSP nonce.
Register the module like this:
'modules' => [
'csp' => \Zae\ContentSecurityPolicy\Craft\Module::class,
],
'bootstrap' => [
'csp'
]
Use the twig functions like this:
<script nonce="{{ cspnonce() }}">
// inline javascript
</script>
Config (config/csp.php)
return [
'components' => [
'builder' => Builder::class,
],
'params' => [
BlockAllMixedContent::class,
Sandbox::class => [
Sandbox::ALLOW_FORMS,
Sandbox::ALLOW_SCRIPTS,
Sandbox::ALLOW_TOP_NAVIGATION,
Sandbox::ALLOW_SAME_ORIGIN,
Sandbox::ALLOW_POPUPS,
]
]
];
Other
Although not officially supported yet, it's possible to use this library with other frameworks, an easy method is by using FluidDirectivesFactory.
Fluid Factory
<?php
$csp = new CSP();
$factory = new FluidDirectivesFactory($csp);
$factory
->blockAllMixedContent()
->defaultSrc([
Directive::SELF,
'https:'
])
->baseUri([
Directive::SELF
]);
Change log
Please see CHANGELOG for more information on what has changed recently.
Contributing
Please see CONTRIBUTING for details.
Security
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
Credits
- Ezra Pool
- All Contributors
License
The MIT License (MIT). Please see License File for more information.