Easily integrate Content-Security-Policy headers into your web application, either from a JSON configuration file, or programatically.
CSP Builder was created by Paragon Initiative Enterprises as part of our effort to encourage better application security practices.
Check out our other open source projects too.
<?php
use \ParagonIE\CSPBuilder\CSPBuilder;
$csp = CSPBuilder::fromFile('/path/to/source.json');
$csp->sendCSPHeader();
{
"report-only": false,
"report-uri": "/csp_violation_reporting_endpoint",
"base-uri": [],
"default-src": [],
"child-src": {
"allow": [
"https://www.youtube.com",
"https://www.youtube-nocookie.com"
],
"self": false
},
"connect-src": [],
"font-src": {
"self": true
},
"form-action": {
"allow": [
"https://example.com"
],
"self": true
},
"frame-ancestors": [],
"img-src": {
"self": true,
"data": true
},
"media-src": [],
"object-src": [],
"plugin-types": [],
"script-src": {
"allow": [
"https://www.google-analytics.com"
],
"self": true,
"unsafe-inline": false,
"unsafe-eval": false
},
"style-src": {
"self": true
},
"upgrade-insecure-requests": true
}
<?php
use \ParagonIE\CSPBuilder\CSPBuilder;
$csp = CSPBuilder::fromFile('/path/to/source.json');
// Let's add a nonce for inline JS
$nonce = $csp->nonce('script-src');
$body .= "<script nonce={$nonce}>";
$body .= $desiredJavascriptCode;
$body .= "</script>";
// Let's add a hash to the CSP header for $someScript
$hash = $csp->hash('script-src', $someScript, 'sha256');
// Add a new source domain to the whitelist
$csp->addSource('image', 'https://ytimg.com');
// Let's turn on HTTPS enforcement
$csp->addDirective('upgrade-insecure-requests', true);
$csp->sendCSPHeader();
Note that many of these methods can be chained together:
$csp = CSPBuilder::fromFile('/path/to/source.json');
$csp->addSource('image', 'https://ytimg.com')
->addSource('frame', 'https://youtube.com')
->addDirective('upgrade-insecure-requests', true)
->sendCSPHeader();
addSource()
addDirective()
disableOldBrowserSupport()
enableOldBrowserSupport()
hash()
setDirective()
Instead of invoking sendCSPHeader()
, you can instead inject the headers into
your PSR-7 message object by calling it like so:
/**
* $yourMessageHere is an instance of an object that implements
* \Psr\Http\Message\MessageInterface
*
* Typically, this will be a Response object that implements
* \Psr\Http\Message\ResponseInterface
*
* @ref https://github.com/guzzle/psr7/blob/master/src/Response.php
*/
$csp->injectCSPHeader($yourMessageHere);
Instead of calling sendCSPHeader()
on every request, you can build the CSP once
and save it to a snippet for including in your server configuration:
$policy = CSPBuilder::fromFile('/path/to/source.json');
$policy->saveSnippet(
'/etc/nginx/snippets/my-csp.conf',
CSPBuilder::FORMAT_NGINX
);
Make sure you reload your webserver afterwards.