项目作者: stevenmaguire

项目描述 :
提供对在Laravel响应中使用标头实施内容安全策略的支持。
高级语言: PHP
项目地址: git://github.com/stevenmaguire/laravel-middleware-csp.git
创建时间: 2015-08-05T23:57:27Z
项目社区:https://github.com/stevenmaguire/laravel-middleware-csp

开源协议:MIT License

下载


Content Security Policy Middleware

Latest Version
Software License
Build Status
Coverage Status
Quality Score
Total Downloads

Provides support for enforcing Content Security Policy with headers in Laravel responses. This package extends and utilizes the framework agnostic Content Security Policy Middleware for PSR 7 response.

Install

Via Composer

  1. $ composer require stevenmaguire/laravel-middleware-csp

Usage

Register as route middleware

  1. // within app/Http/Kernal.php
  2. protected $routeMiddleware = [
  3. //
  4. 'secure.content' => \Stevenmaguire\Laravel\Http\Middleware\EnforceContentSecurity::class,
  5. //
  6. ];

Apply content security policy to routes

The following will apply all default profiles to the gallery route.

  1. // within app/Http/routes.php
  2. Route::get('gallery', ['middleware' => 'secure.content'], function () {
  3. return 'pictures!';
  4. });

The following will apply all default profiles and a specific flickr profile to the gallery route.

  1. // within app/Http/routes.php
  2. Route::get('gallery', ['middleware' => 'secure.content:flickr'], function () {
  3. return 'pictures!';
  4. });

Apply content security policy to controllers

The following will apply all default profiles to all methods within the GalleryController.

  1. // within app/Http/Controllers/GalleryController.php
  2. public function __construct()
  3. {
  4. $this->middleware('secure.content');
  5. }

The following will apply all default profiles and a specific google profile to all methods within the GalleryController.

  1. // within app/Http/Controllers/GalleryController.php
  2. public function __construct()
  3. {
  4. $this->middleware('secure.content:google');
  5. }

You can include any number of specific profiles to any middleware decoration. For instance, the following will apply default, google, flickr, and my_custom profiles to all methods within the GalleryController.

  1. // within app/Http/Controllers/GalleryController.php
  2. public function __construct()
  3. {
  4. $this->middleware('secure.content:google,flickr,my_custom');
  5. }

Create content security profiles

The default location for content security profiles is security.content. If you wish to use this default configuration, ensure your project includes the appropriate configuration files.

You can find all available options on the owasp CSP Cheat Sheet.

The structure of this configuration array is important. The middleware expects to find a default key with a string value and a profiles key with an array value.

  1. // within config/security.php
  2. return [
  3. 'content' => [
  4. 'default' => '',
  5. 'profiles' => [],
  6. ],
  7. ];

The profiles array contains the security profiles for your application. Each profile name must be unique and is expected to have a value of an array.

  1. // within config/security.php
  2. return [
  3. 'content' => [
  4. 'default' => '',
  5. 'profiles' => [
  6. 'profile_one' => [],
  7. 'profile_two' => [],
  8. 'profile_three' => [],
  9. ],
  10. ],
  11. ];

Each profile array should contain keys that correspond to Content Security Policy directives. The value of each of these directives can be a string, comma-separated string, or array of strings. Each string value should correspond to the domain associated with your directive and profile.

  1. // within config/security.php
  2. return [
  3. 'content' => [
  4. 'default' => '',
  5. 'profiles' => [
  6. 'profile_one' => [
  7. 'base-uri' => 'https://domain.com,http://google.com',
  8. ],
  9. 'profile_two' => [
  10. 'font-src' => 'https://domain.com',
  11. 'base-uri' => [
  12. "'self'",
  13. 'http://google.com'
  14. ],
  15. ],
  16. 'profile_three' => [
  17. 'font-src' => [
  18. "'self'"
  19. ],
  20. ],
  21. ],
  22. ],
  23. ];

The default key value should be a string, comma-separated string, or array of strings that correspond to the unique profile names that you would like to enforce on all responses with minimal content security applied.

  1. // within config/security.php
  2. return [
  3. 'content' => [
  4. 'default' => 'profile_one',
  5. 'profiles' => [
  6. 'profile_one' => [
  7. 'base-uri' => 'https://domain.com,http://google.com',
  8. ],
  9. 'profile_two' => [
  10. 'font-src' => 'https://domain.com',
  11. 'base-uri' => [
  12. "'self'",
  13. 'http://google.com'
  14. ],
  15. ],
  16. 'profile_three' => [
  17. 'font-src' => [
  18. "'self'"
  19. ],
  20. ],
  21. ],
  22. ],
  23. ];

Here is a real-world example:

  1. // within config/security.php
  2. return [
  3. 'content' => [
  4. 'default' => 'global',
  5. 'profiles' => [
  6. 'global' => [
  7. 'base-uri' => "'self'",
  8. 'default-src' => "'self'",
  9. 'font-src' => [
  10. "'self'",
  11. 'fonts.gstatic.com'
  12. ],
  13. 'img-src' => "'self'",
  14. 'script-src' => "'self'",
  15. 'style-src' => [
  16. "'self'",
  17. "'unsafe-inline'",
  18. 'fonts.googleapis.com'
  19. ],
  20. ],
  21. 'flickr' => [
  22. 'img-src' => [
  23. 'https://*.staticflickr.com',
  24. ],
  25. ],
  26. ],
  27. ],
  28. ];

Testing

  1. $ ./vendor/bin/phpunit

Contributing

Please see CONTRIBUTING for details.

Credits

License

The MIT License (MIT). Please see License File for more information.