stevenmaguire / laravel-middleware-csp
Provides support for enforcing Content Security Policy with headers in Laravel responses.
Installs: 106 203
Dependents: 1
Suggesters: 0
Security: 0
Stars: 40
Watchers: 3
Forks: 5
Open Issues: 2
Requires
- php: >=5.5.9
- guzzlehttp/psr7: ^1.1
- illuminate/http: ^5.1
- stevenmaguire/middleware-csp: ^0.1
Requires (Dev)
- mockery/mockery: 0.9.*@dev
- phpunit/phpunit: 3.7.*
- squizlabs/php_codesniffer: ~2.0
This package is auto-updated.
Last update: 2024-10-14 10:52:14 UTC
README
Provides support for enforcing Content Security Policy with headers in Laravel responses. This package extends and utilizes the framework agnostic Content Security Policy Middleware for PSR 7 response.
Install
Via Composer
$ composer require stevenmaguire/laravel-middleware-csp
Usage
Register as route middleware
// within app/Http/Kernal.php protected $routeMiddleware = [ // 'secure.content' => \Stevenmaguire\Laravel\Http\Middleware\EnforceContentSecurity::class, // ];
Apply content security policy to routes
The following will apply all default profiles to the gallery
route.
// within app/Http/routes.php Route::get('gallery', ['middleware' => 'secure.content'], function () { return 'pictures!'; });
The following will apply all default profiles and a specific flickr
profile to the gallery
route.
// within app/Http/routes.php Route::get('gallery', ['middleware' => 'secure.content:flickr'], function () { return 'pictures!'; });
Apply content security policy to controllers
The following will apply all default profiles to all methods within the GalleryController
.
// within app/Http/Controllers/GalleryController.php public function __construct() { $this->middleware('secure.content'); }
The following will apply all default profiles and a specific google
profile to all methods within the GalleryController
.
// within app/Http/Controllers/GalleryController.php public function __construct() { $this->middleware('secure.content:google'); }
You can include any number of specific profiles to any middleware decoration. For instance, the following will apply default, google
, flickr
, and my_custom
profiles to all methods within the GalleryController
.
// within app/Http/Controllers/GalleryController.php public function __construct() { $this->middleware('secure.content:google,flickr,my_custom'); }
Create content security profiles
The default location for content security profiles is security.content
. If you wish to use this default configuration, ensure your project includes the appropriate configuration files.
You can find all available options on the owasp CSP Cheat Sheet.
The structure of this configuration array is important. The middleware expects to find a default
key with a string value and a profiles
key with an array value.
// within config/security.php return [ 'content' => [ 'default' => '', 'profiles' => [], ], ];
The profiles
array contains the security profiles for your application. Each profile name must be unique and is expected to have a value of an array.
// within config/security.php return [ 'content' => [ 'default' => '', 'profiles' => [ 'profile_one' => [], 'profile_two' => [], 'profile_three' => [], ], ], ];
Each profile array should contain keys that correspond to Content Security Policy directives. The value of each of these directives can be a string, comma-separated string, or array of strings. Each string value should correspond to the domain associated with your directive and profile.
// within config/security.php return [ 'content' => [ 'default' => '', 'profiles' => [ 'profile_one' => [ 'base-uri' => 'https://domain.com,http://google.com', ], 'profile_two' => [ 'font-src' => 'https://domain.com', 'base-uri' => [ "'self'", 'http://google.com' ], ], 'profile_three' => [ 'font-src' => [ "'self'" ], ], ], ], ];
The default
key value should be a string, comma-separated string, or array of strings that correspond to the unique profile names that you would like to enforce on all responses with minimal content security applied.
// within config/security.php return [ 'content' => [ 'default' => 'profile_one', 'profiles' => [ 'profile_one' => [ 'base-uri' => 'https://domain.com,http://google.com', ], 'profile_two' => [ 'font-src' => 'https://domain.com', 'base-uri' => [ "'self'", 'http://google.com' ], ], 'profile_three' => [ 'font-src' => [ "'self'" ], ], ], ], ];
Here is a real-world example:
// within config/security.php return [ 'content' => [ 'default' => 'global', 'profiles' => [ 'global' => [ 'base-uri' => "'self'", 'default-src' => "'self'", 'font-src' => [ "'self'", 'fonts.gstatic.com' ], 'img-src' => "'self'", 'script-src' => "'self'", 'style-src' => [ "'self'", "'unsafe-inline'", 'fonts.googleapis.com' ], ], 'flickr' => [ 'img-src' => [ 'https://*.staticflickr.com', ], ], ], ], ];
Testing
$ ./vendor/bin/phpunit
Contributing
Please see CONTRIBUTING for details.
Credits
License
The MIT License (MIT). Please see License File for more information.