pavlakis/csp-middleware

Add Content-Security-Policy headers for PSR-7 requests. Uses the csp-builder library paragonie/csp-builder.

, _(*1)

CSP Middleware

Add Content-Security-Policy headers using PSR-7 requests. Uses the paragonie/csp-builder package., _(*2)

Usage

Adding the middleware is as simple as:, _(*3)

$app->add(new \Pavlakis\Middleware\Csp\CspMiddleware($container->get('csp'));

Where $container->get('csp') returns an instance of CSPBuilder with a CSP configuration., _(*4)

There is a second parameter $reportOnly. It is a boolean and set to true by default and it will add the CSP header as Content-Security-Policy-Report-Only. This is important so you don't break your application accidentally., _(*5)

To enable it, pass false, _(*6)

Use a json file with the csp policies., _(*7)

Example:, _(*8)

{
  "report-only": false,
  "report-uri": "/csp/enforce",
  "base-uri": [],
  "default-src": [],
  "child-src": {
    "self": false
  },
  "connect-src": {},
  "font-src": {
    "self": true
  },
  "form-action": {
    "self": true
  },
  "frame-ancestors": [],
  "img-src": {
    "self": true
  },
  "media-src": [],
  "object-src": [],
  "plugin-types": [],
  "script-src": {
    "allow": [
      "https://www.google-analytics.com"
    ],
    "self": true,
    "unsafe-inline": false,
    "unsafe-eval": false
  },
  "style-src": {
    "self": true,
    "unsafe-inline": false
  },
  "upgrade-insecure-requests": true
}

Example in Slim3

Dependencies (dependencies.php), _(*9)

$container['csp'] = function ($c) {
    $csp = CSPBuilder::fromFile(__DIR__ . '/configs/csp.json');
    return $csp;
};

Application Middleware (middleware.php), _(*10)

$app->add(new \Pavlakis\Middleware\Csp\CspMiddleware($container->get('csp'));

Resources

Useful resources for CSP, _(*11)

• CSP: Let's break stuff - by Matt Brunt (@brunty)
• Report-Uri.io
• Web Fundamentals - CSP