Content Security Policy (CSP) support for PHP

Installation:, _(*1)

composer require elgg/content-security-policy

Example usage:, _(*2)

use Elgg\ContentSecurityPolicy\Directive;
use Elgg\ContentSecurityPolicy\Header;
use Elgg\ContentSecurityPolicy\Policy;
use Elgg\ContentSecurityPolicy\Source;

$policy = new Policy();
$policy = $policy->withSource(Directive::DEFAULT_SRC(), Source::SELF)
            ->withSource(Directive::IMAGE_SRC(), Source::DATA);

header(Header::STANDARD . ": $policy");
// Sends "Content-Security-Policy: default-src 'self'; img-src data:"

By default, the policy blocks everything it possibly can. This is by design to ensure that your site only allows what you want to allow, not what someone else thinks is a reasonable default., _(*3)

$policy = new Policy();
echo $policy; // default-src 'none'; sandbox

Features:, _(*4)

Elgg\ContentSecurityPolicy\Policy
 [x] Instances are immutable
 [x] Supports configuring all standard src directives
 [x] Can be stringified into standard csp format
 [x] The default policy value allows nothing