README

Provides support for enforcing Content Security Policy with headers in PSR 7 responses.

About CSP (Content Security Policy)

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header. - via content-security-policy.com

TL;DR from Google

Use whitelists to tell the client what's alowed and what isn't.
Learn what directives are available.
Learn the keywords they take.
Inline code and eval() are considered harmful.
Report policy violations to your server before enforcing them.

Install

Via Composer

$ composer require stevenmaguire/middleware-csp

Usage

Frameworks and routing layer projects may implement middleware differently. This package is designed to aid in the implementation of CSP for many of those variations provided the middleware pattern expects to provide a Psr\Http\Message\ResponseInterface and receive an updated Psr\Http\Message\ResponseInterface in return.

Generic Example

<?php namespace Stevenmaguire\Http\Middleware\Test;

use Psr\Http\Message\ResponseInterface;
use Stevenmaguire\Http\Middleware\EnforceContentSecurity;

class GenericMiddleware extends EnforceContentSecurity
{
    /**
     * Applies content security policy to given response.
     *
     * @param  ResponseInterface  $response
     * @param  array              $profiles
     *
     * @return ResponseInterface
     */
    public function handle(ResponseInterface $response, $profiles = [])
    {
        array_map(function ($profile) {
            $this->loadProfileByKey($profile);
        }, $profiles);

        return $this->addPolicyHeader($response);
    }

    /**
     * Adds profile configuration to underlying middleware.
     *
     * @param array  $profileConfig
     *
     * @return EnforceContentSecurity
     */
    public function addProfileConfiguration($profileConfig = [])
    {
        return $this->setProfiles($profileConfig);
    }

    /**
     * Encodes a given configuration into formatted directive string.
     *
     * @param  array   $config
     *
     * @return string
     */
    public function getEncodedConfiguration($config = [])
    {
        return $this->encodeConfiguration($config);
    }
}

In this example $profiles is an array of middleware-csp-php specific configuration that directs the package on how to decorate the response.

Here is an example of configuration for two profiles.

// within config/security.php

return [
    'content' => [
        'default' => 'global',
        'profiles' => [
            'global' => [
                'base-uri' => "'self'",
                'default-src' => "'self'",
                'font-src' => [ // e.g. only allows fonts from your server and fonts.gstatic.com
                    "'self'",
                    'fonts.gstatic.com'
                ],
                'img-src' => "'self'",
                'script-src' => "'self'",
                'style-src' => [
                    "'self'",
                    "'unsafe-inline'",
                    'fonts.googleapis.com'
                ],
            ],
            'flickr' => [
                'img-src' => [
                    'https://*.staticflickr.com',
                ],
            ],
        ],
    ],
];

Framework Specific Implementations

Laravel

Defining a CPS

You should try to keep your Content Security Policy as strict as possible. It is best to not allow inline scripts and only files from a trusted source. Only add sources that you activly use and not those that you might use in the future.

CSP 1.0 Spec

New in CSP 2.0

Browser Support

This is a high level summary of browser support for CSP. For more detailed specifications review Mozilla or caniuse

Testing

$ ./vendor/bin/phpunit

stevenmaguire / middleware-csp

Maintainers

Details