stevenmaguire/laravel-middleware-csp

Provides support for enforcing Content Security Policy with headers in Laravel responses.

Content Security Policy Middleware

, _(*1)

Provides support for enforcing Content Security Policy with headers in Laravel responses. This package extends and utilizes the framework agnostic Content Security Policy Middleware for PSR 7 response., _(*2)

Install

Via Composer, _(*3)

``` bash $ composer require stevenmaguire/laravel-middleware-csp, <sub>(*4)</sub>

## Usage

### Register as route middleware

``` php
// within app/Http/Kernal.php

protected $routeMiddleware = [
    //
    'secure.content' => \Stevenmaguire\Laravel\Http\Middleware\EnforceContentSecurity::class,
    //
];

Apply content security policy to routes

The following will apply all default profiles to the gallery route., <sub>(*5)</sub>

``` php // within app/Http/routes.php, <sub>(*6)</sub>

Route::get('gallery', ['middleware' => 'secure.content'], function () { return 'pictures!'; });, <sub>(*7)</sub>

The following will apply all default profiles and a specific `flickr` profile to the `gallery` route.

``` php
// within app/Http/routes.php

Route::get('gallery', ['middleware' => 'secure.content:flickr'], function () {
    return 'pictures!';
});

Apply content security policy to controllers

The following will apply all default profiles to all methods within the GalleryController., <sub>(*8)</sub>

``` php // within app/Http/Controllers/GalleryController.php, <sub>(*9)</sub>

public function __construct() { $this->middleware('secure.content'); }, <sub>(*10)</sub>

The following will apply all default profiles and a specific `google` profile to all methods within the `GalleryController`.

``` php
// within app/Http/Controllers/GalleryController.php

public function __construct()
{
    $this->middleware('secure.content:google');
}

You can include any number of specific profiles to any middleware decoration. For instance, the following will apply default, google, flickr, and my_custom profiles to all methods within the GalleryController., <sub>(*11)</sub>

``` php // within app/Http/Controllers/GalleryController.php, <sub>(*12)</sub>

public function __construct() { $this->middleware('secure.content:google,flickr,my_custom'); }, <sub>(*13)</sub>

### Create content security profiles

The default location for content security profiles is `security.content`. If you wish to use this default configuration, ensure your project includes the appropriate configuration files.

You can find all available options on the owasp [CSP Cheat Sheet](https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet).

The structure of this configuration array is important. The middleware expects to find a `default` key with a string value and a `profiles` key with an array value.

``` php
// within config/security.php

return [
    'content' => [
        'default' => '',
        'profiles' => [],
    ],
];

The profiles array contains the security profiles for your application. Each profile name must be unique and is expected to have a value of an array., <sub>(*14)</sub>

``` php // within config/security.php, <sub>(*15)</sub>

return [ 'content' => [ 'default' => '', 'profiles' => [ 'profile_one' => [], 'profile_two' => [], 'profile_three' => [], ], ], ];, <sub>(*16)</sub>

Each profile array should contain keys that correspond to Content Security Policy directives. The value of each of these directives can be a string, comma-separated string, or array of strings. Each string value should correspond to the domain associated with your directive and profile.

``` php
// within config/security.php

return [
    'content' => [
        'default' => '',
        'profiles' => [
            'profile_one' => [
                'base-uri' => 'https://domain.com,http://google.com',
            ],
            'profile_two' => [
                'font-src' => 'https://domain.com',
                'base-uri' => [
                    "'self'",
                    'http://google.com'
                ],
            ],
            'profile_three' => [
                'font-src' => [
                    "'self'"
                ],
            ],
        ],
    ],
];

The default key value should be a string, comma-separated string, or array of strings that correspond to the unique profile names that you would like to enforce on all responses with minimal content security applied., <sub>(*17)</sub>

``` php // within config/security.php, <sub>(*18)</sub>

return [ 'content' => [ 'default' => 'profile_one', 'profiles' => [ 'profile_one' => [ 'base-uri' => 'https://domain.com,http://google.com', ], 'profile_two' => [ 'font-src' => 'https://domain.com', 'base-uri' => [ "'self'", 'http://google.com' ], ], 'profile_three' => [ 'font-src' => [ "'self'" ], ], ], ], ];, <sub>(*19)</sub>

Here is a real-world example:

``` php
// within config/security.php

return [
    'content' => [
        'default' => 'global',
        'profiles' => [
            'global' => [
                'base-uri' => "'self'",
                'default-src' => "'self'",
                'font-src' => [
                    "'self'",
                    'fonts.gstatic.com'
                ],
                'img-src' => "'self'",
                'script-src' => "'self'",
                'style-src' => [
                    "'self'",
                    "'unsafe-inline'",
                    'fonts.googleapis.com'
                ],
            ],
            'flickr' => [
                'img-src' => [
                    'https://*.staticflickr.com',
                ],
            ],
        ],
    ],
];

Testing

bash $ ./vendor/bin/phpunit, <sub>(*20)</sub>

Contributing

Please see CONTRIBUTING for details., <sub>(*21)</sub>

Credits

• Steven Maguire
• All Contributors

License

The MIT License (MIT). Please see License File for more information., <sub>(*22)</sub>