Wallogit.com
2017 © Pedro Peláez
Implementation of Content Security Policy (CSP) nonce-source
, (*1)
CSP (Content Security Policy) nonce-source library for PHP., (*2)
It is one of CSP 2 features to prevent XSS., (*3)
If you don't know, please see CSP for the web we have | Mozilla Security Blog., (*4)
$ git clone https://github.com/kenjis/php-csp-nonce-source.git $ cd php-csp-nonce-source $ composer install
All you have to call is only Csp::sendHeader() and Csp::getNonce()., (*5)
Csp::sendHeader() sends CSP header., (*6)
Csp::getNonce() returns nonce value., (*7)
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Sample of CSP nonce-source</title> </head> <body> </body> </html>
You can test it with PHP built-in web server., (*8)
$ php -S localhost:8000
And browse http://localhost:8000/., (*9)
You can see CSP violation report in csp-report.log file., (*10)
You can add other polices using Csp::addPolicy()., (*11)
<?php
require __DIR__ . '/bootstrap.php';
Csp::addPolicy('default-src', 'self');
Csp::addPolicy('img-src', 'img.example.com');
Csp::sendHeader();
You can set Report Only Mode using Csp::setReportOnly()., (*12)
<?php
require __DIR__ . '/bootstrap.php';
Csp::addPolicy('default-src', 'self');
Csp::setReportOnly();
Csp::sendHeader();
You can see CSP violation report in csp-report.log file., (*13)
MIT License. See LICENSE.md., (*14)
Implementation of Content Security Policy (CSP) nonce-source
MIT
security xss csp content security policy nonce-source