Easily integrate Content-Security-Policy headers into your web application, either from a JSON configuration file, or programatically.
CSP Builder was created by Paragon Initiative Enterprises as part of our effort to encourage better application security practices.
Check out our other open source projects too.
There's also a CSP middleware available that uses this library.
First, get Composer, then run:
composer require paragonie/csp-builder
<?php
use ParagonIE\CSPBuilder\CSPBuilder;
$csp = CSPBuilder::fromFile('/path/to/source.json');
$csp->sendCSPHeader();
You can also load the configuration from a JSON string, like so:
<?php
use ParagonIE\CSPBuilder\CSPBuilder;
$configuration = file_get_contents('/path/to/source.json');
if (!is_string($configuration)) {
throw new Error('Could not read configuration file!');
}
$csp = CSPBuilder::fromData($configuration);
$csp->sendCSPHeader();
Finally, you can just pass an array to the first argument of the constructor:
<?php
use ParagonIE\CSPBuilder\CSPBuilder;
$configuration = file_get_contents('/path/to/source.json');
if (!is_string($configuration)) {
throw new Error('Could not read configuration file!');
}
$decoded = json_decode($configuration, true);
if (!is_array($decoded)) {
throw new Error('Could not parse configuration!');
}
$csp = new CSPBuilder($decoded);
$csp->sendCSPHeader();
{
"report-only": false,
"report-uri": "/csp_violation_reporting_endpoint",
"base-uri": [],
"default-src": [],
"child-src": {
"allow": [
"https://www.youtube.com",
"https://www.youtube-nocookie.com"
],
"self": false
},
"connect-src": [],
"font-src": {
"self": true
},
"form-action": {
"allow": [
"https://example.com"
],
"self": true
},
"frame-ancestors": [],
"img-src": {
"blob": true,
"self": true,
"data": true
},
"media-src": [],
"object-src": [],
"plugin-types": [],
"script-src": {
"allow": [
"https://www.google-analytics.com"
],
"self": true,
"unsafe-inline": false,
"unsafe-eval": false
},
"style-src": {
"self": true
},
"upgrade-insecure-requests": true
}
<?php
use ParagonIE\CSPBuilder\CSPBuilder;
$csp = CSPBuilder::fromFile('/path/to/source.json');
// Let's add a nonce for inline JS
$nonce = $csp->nonce('script-src');
$body .= "<script nonce={$nonce}>";
$body .= $desiredJavascriptCode;
$body .= "</script>";
// Let's add a hash to the CSP header for $someScript
$hash = $csp->hash('script-src', $someScript, 'sha256');
// Add a new source domain to the whitelist
$csp->addSource('image', 'https://ytimg.com');
// Set the Report URI
$csp->setReportUri('https://example.com/csp_report.php');
// Let's turn on HTTPS enforcement
$csp->addDirective('upgrade-insecure-requests', true);
$csp->sendCSPHeader();
Note that many of these methods can be chained together:
$csp = CSPBuilder::fromFile('/path/to/source.json');
$csp->addSource('image', 'https://ytimg.com')
->addSource('frame', 'https://youtube.com')
->addDirective('upgrade-insecure-requests', true)
->sendCSPHeader();
addSource()
addDirective()
disableOldBrowserSupport()
enableOldBrowserSupport()
hash()
preHash()
setDirective()
setBlobAllowed()
setDataAllowed()
setFileSystemAllowed()
setMediaStreamAllowed()
setReportUri()
setSelfAllowed()
setAllowUnsafeEval()
setAllowUnsafeInline()
Instead of invoking sendCSPHeader()
, you can instead inject the headers into
your PSR-7 message object by calling it like so:
/
* $yourMessageHere is an instance of an object that implements
* \Psr\Http\Message\MessageInterface
*
* Typically, this will be a Response object that implements
* \Psr\Http\Message\ResponseInterface
*
* @ref https://github.com/guzzle/psr7/blob/master/src/Response.php
*/
$csp->injectCSPHeader($yourMessageHere);
Instead of calling sendCSPHeader()
on every request, you can build the CSP once
and save it to a snippet for including in your server configuration:
$policy = CSPBuilder::fromFile('/path/to/source.json');
$policy->saveSnippet(
'/etc/nginx/snippets/my-csp.conf',
CSPBuilder::FORMAT_NGINX
);
Make sure you reload your webserver afterwards.
If your company uses this library in their products or services, you may be interested in purchasing a support contract from Paragon Initiative Enterprises.
Classes of Scott Arciszewski | > | PHP CSP Header Builder | > | Download .zip .tar.gz | > | Support forum | > | Blog | > | Latest changes |
|
|
Groups | Applications | Files |
Groups |
HTTP | HTTP protocol clients, headers and cookies | View top rated classes |
PHP 5 | Classes using PHP 5 specific features | View top rated classes |
Security | Security protection and attack detection | View top rated classes |
Applications that use this package |
If you know an application of this package, send a message to the author to add a link here.
Files |
File | Role | Description | ||
---|---|---|---|---|
bin (3 files) | ||||
src (1 file) | ||||
test (1 file, 1 directory) | ||||
.travis.yml | Data | Auxiliary data | ||
composer.json | Data | Auxiliary data | ||
LICENSE | Lic. | License text | ||
phpcs.xml | Data | Auxiliary data | ||
phpunit.xml.dist | Data | Auxiliary data | ||
psalm.xml | Data | Auxiliary data | ||
README.md | Doc. | Read me |
Files | / | bin |
File | Role | Description |
---|---|---|
compile_apache.php | Example | Example script |
compile_csp.php | Example | Example script |
compile_nginx.php | Example | Example script |
Files | / | test | / | vectors |
File | Role | Description |
---|---|---|
basic-csp-hash.out | Data | Auxiliary data |
basic-csp-no-old.out | Data | Auxiliary data |
basic-csp.json | Data | Auxiliary data |
basic-csp.out | Data | Auxiliary data |
Download all files: csp-builder.tar.gz csp-builder.zip NOTICE: if you are using a download manager program like 'GetRight', please Login before trying to download this archive.
|