• Stars
    star
    614
  • Rank 73,061 (Top 2 %)
  • Language
    PHP
  • License
    MIT License
  • Created almost 7 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Set content security policy headers in a Laravel app

Set content security policy headers in a Laravel app

Latest Version on Packagist GitHub Workflow Status Check & fix styling Total Downloads

By default, all scripts on a webpage are allowed to send and fetch data to any site they want. This can be a security problem. Imagine one of your JavaScript dependencies sends all keystrokes, including passwords, to a third party website.

It's very easy for someone to hide this malicious behaviour, making it nearly impossible for you to detect it (unless you manually read all the JavaScript code on your site). For a better idea of why you really need to set content security policy headers, read this excellent blog post by David Gilbertson.

Setting Content Security Policy headers helps solve this problem. These headers dictate which sites your site is allowed to contact. This package makes it easy for you to set the right headers.

This readme does not aim to fully explain all the possible usages of CSP and its directives. We highly recommend that you read Mozilla's documentation on the Content Security Policy before using this package. Another good resource to learn about CSP, is this edition of the Larasec newsletter by Stephen Rees-Carter.

If you're an audiovisual learner, you should check out this video on how to use this package.

Support us

We invest a lot of resources into creating best in class open source packages. You can support us by buying one of our paid products.

We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on our contact page. We publish all received postcards on our virtual postcard wall.

Installation

You can install the package via composer:

composer require spatie/laravel-csp

You can publish the config-file with:

php artisan vendor:publish --tag=csp-config

This is the contents of the file which will be published at config/csp.php:

return [

    /*
     * A policy will determine which CSP headers will be set. A valid CSP policy is
     * any class that extends `Spatie\Csp\Policies\Policy`
     */
    'policy' => Spatie\Csp\Policies\Basic::class,

    /*
     * This policy which will be put in report only mode. This is great for testing out
     * a new policy or changes to existing csp policy without breaking anything.
     */
    'report_only_policy' => '',

    /*
     * All violations against the policy will be reported to this url.
     * A great service you could use for this is https://report-uri.com/
     *
     * You can override this setting by calling `reportTo` on your policy.
     */
    'report_uri' => env('CSP_REPORT_URI', ''),

    /*
     * Headers will only be added if this setting is set to true.
     */
    'enabled' => env('CSP_ENABLED', true),

    /*
     * The class responsible for generating the nonces used in inline tags and headers.
     */
    'nonce_generator' => Spatie\Csp\Nonce\RandomString::class,
];

You can add CSP headers to all responses of your app by registering Spatie\Csp\AddCspHeaders::class in the http kernel.

// app/Http/Kernel.php

...

protected $middlewareGroups = [
   'web' => [
       ...
       \Spatie\Csp\AddCspHeaders::class,
   ],

Alternatively you can apply the middleware on the route or route group level.

// in a routes file
Route::get('my-page', 'MyController')->middleware(Spatie\Csp\AddCspHeaders::class);

You can also pass a policy class as a parameter to the middleware:

// in a routes file
Route::get('my-page', 'MyController')->middleware(Spatie\Csp\AddCspHeaders::class . ':' . MyPolicy::class);

The given policy will override the one configured in the config file for that specific route or group of routes.

Usage

This package allows you to define CSP policies. A CSP policy determines which CSP directives will be set in the headers of the response.

An example of a CSP directive is script-src. If this has the value 'self' www.google.com then your site can only load scripts from it's own domain or www.google.com. You'll find a list with all CSP directives at Mozilla's excellent developer site.

According to the spec certain directive values need to be surrounded by quotes. Examples of this are 'self', 'none' and 'unsafe-inline'. When using addDirective function you're not required to surround the directive value with quotes manually. We will automatically add quotes. Script/style hashes, as well, will be auto-detected and surrounded with quotes.

// in a policy
...
   ->addDirective(Directive::SCRIPT, Keyword::SELF) // will output `'self'` when outputting headers
   ->addDirective(Directive::STYLE, 'sha256-hash') // will output `'sha256-hash'` when outputting headers
...

You can add multiple policy options in the same directive giving an array as second parameter to addDirective or a single string in which every option is separated by one or more spaces.

// in a policy
...
   ->addDirective(Directive::SCRIPT, [
       Keyword::STRICT_DYNAMIC,
       Keyword::SELF,
       'www.google.com',
   ])
   ->addDirective(Directive::SCRIPT, 'strict-dynamic self  www.google.com')
   // will both output `'strict_dynamic' 'self' www.google.com` when outputting headers
...

There are also a few cases where you don't have to or don't need to specify a value, eg. upgrade-insecure-requests, block-all-mixed-content, ... In this case you can use the following value:

// in a policy
...
    ->addDirective(Directive::UPGRADE_INSECURE_REQUESTS, Value::NO_VALUE)
    ->addDirective(Directive::BLOCK_ALL_MIXED_CONTENT, Value::NO_VALUE);
...

This will output a CSP like this:

Content-Security-Policy: upgrade-insecure-requests;block-all-mixed-content

Creating policies

In the policy key of the csp config file is set to \Spatie\Csp\Policies\Basic::class by default. This class allows your site to only use images, scripts, form actions of your own site. This is how the class looks:

namespace App\Support;

use Spatie\Csp\Directive;
use Spatie\Csp\Value;

class Basic extends Policy
{
    public function configure()
    {
        $this
            ->addDirective(Directive::BASE, Keyword::SELF)
            ->addDirective(Directive::CONNECT, Keyword::SELF)
            ->addDirective(Directive::DEFAULT, Keyword::SELF)
            ->addDirective(Directive::FORM_ACTION, Keyword::SELF)
            ->addDirective(Directive::IMG, Keyword::SELF)
            ->addDirective(Directive::MEDIA, Keyword::SELF)
            ->addDirective(Directive::OBJECT, Keyword::NONE)
            ->addDirective(Directive::SCRIPT, Keyword::SELF)
            ->addDirective(Directive::STYLE, Keyword::SELF)
            ->addNonceForDirective(Directive::SCRIPT)
            ->addNonceForDirective(Directive::STYLE);
    }
}

You can allow fetching scripts from www.google.com by extending this class:

namespace App\Support;

use Spatie\Csp\Directive;
use Spatie\Csp\Policies\Basic;

class MyCustomPolicy extends Basic
{
    public function configure()
    {
        parent::configure();
        
        $this->addDirective(Directive::SCRIPT, 'www.google.com');
    }
}

Don't forget to set the policy key in the csp config file to the class name of your policy (in this case it would be App\Services\Csp\Policies\MyCustomPolicy).

Using inline scripts and styles

When using CSP you must specifically allow the use of inline scripts or styles. The recommended way of doing that with this package is to use a nonce. A nonce is a number that is unique per request. The nonce must be specified in the CSP headers and in an attribute on the html tag. This way an attacker has no way of injecting malicious scripts or styles.

First you must add the nonce to the right directives in your policy:

// in a policy

public function configure()
  {
      $this
        ->addDirective(Directive::SCRIPT, 'self')
        ->addDirective(Directive::STYLE, 'self')
        ->addNonceForDirective(Directive::SCRIPT)
        ->addNonceForDirective(Directive::STYLE)
        ...
}

Next you must add the nonce to the html:

{{-- in a view --}}
<style nonce="{{ csp_nonce() }}">
   ...
</style>

<script nonce="{{ csp_nonce() }}">
   ...
</script>

There are few other options to use inline styles and scripts. Take a look at the CSP docs on the Mozilla developer site to know more.

Integration with Vite

When building assets, Laravel's Vite plugin can generate a nonce that you can retrieve with Vite::useCspNonce. You can use in your own NonceGenerator.

namespace App\Support;

use Illuminate\Support\Str;
use Illuminate\Support\Facades\Vite;

class LaravelViteNonceGenerator implements NonceGenerator
{
    public function generate(): string
    {
        return Vite::useCspNonce();
    }
}

Don't forget to specify the fully qualified class name of your NonceGenerator in the nonce_generator key of the csp config file.

Alternatively, you can instruct Vite to use a specific value that it should use as nonce.

namespace App\Support;

use Illuminate\Support\Str;
use Illuminate\Support\Facades\Vite;

class RandomString implements NonceGenerator
{
    public function generate(): string
    {
        $myNonce = ''; // determine the value for `$myNonce` however you want
    
        Vite::useCspNonce($myNonce);
        
        return $myNonce;
    }
}

Outputting a CSP Policy as a meta tag

In rare circumstances, a large site may have so many external connections that the CSP header actually exceeds the max header size. Thankfully, the CSP specification allows for outputting information as a meta tag in the head of a webpage.

To support this use case, this package provides a @cspMetaTag blade directive that you may place in the <head> of your site.

<head>
    @cspMetaTag(App\Services\Csp\Policies\MyCustomPolicy::class)
</head>

You should be aware of the following implementation details when using the meta tag blade directive:

  • Note that you should manually pass the fully qualified class name of the policy we want to output a meta tag for. The csp.policy and csp.report_only_policy config options have no effect here.
  • Because blade files don't have access to the Response object, the shouldBeApplied method will have no effect. If you have declared the @cspMetaTag directive and the csp.enabled config option is set to true, the meta tag will be output regardless.
  • Any configuration (such as setting your policy to report only) should be done in the configure method of the policy, rather than relying on settings in the csp config file. The csp.report_uri option will be respected, so there is no need to configure that manually.

Reporting CSP errors

In the browser

Instead of outright blocking all violations, you can put a policy in report only mode. In this case all requests will be made, but all violations will display in your favourite browser's console.

To put a policy in report only mode just call reportOnly() in the configure() function of a report:

public function configure()
{
    parent::configure();
    
    $this->reportOnly();
}

To an external url

Any violations against the policy can be reported to a given url. You can set that url in the report_uri key of the csp config file. A great service that is specifically built for handling these violation reports is http://report-uri.io/.

Using multiple policies

To test changes to your CSP policy you can specify a second policy in the report_only_policy in the csp config key. The policy specified in policy will be enforced, the one in report_only_policy will not. This is great for testing a new policy or changes to existing CSP policy without breaking anything.

Using whoops

Laravel comes with whoops, an error handling framework that helps you debug your application with a pretty visualization of exceptions. Whoops uses inline scripts and styles because it can't make any assumptions about the environment it is being used in, so it won't work unless you allow unsafe-inline for scripts and styles.

One approach to this problem is to check config('app.debug') when setting your policy. Unfortunately this bears the risk of forgetting to test your code with all CSP rules enabled and having your app break at deployment. Alternatively, you could allow unsafe-inline only on error pages by adding this to the render method of your exception handler (usually in app/Exceptions/Handler.php):

$this->container->singleton(AppPolicy::class, function ($app) {
    return new AppPolicy();
});
app(AppPolicy::class)->addDirective(Directive::SCRIPT, Keyword::UNSAFE_INLINE);
app(AppPolicy::class)->addDirective(Directive::STYLE, Keyword::UNSAFE_INLINE);

where AppPolicy is the name of your CSP policy. This also works in every other situation to change the policy at runtime, in which case the singleton registration should be done in a service provider instead of the exception handler.

Note that unsafe-inline only works if you're not also sending a nonce or a strict-dynamic directive, so to be able to use this workaround, you have to specify all your inline scripts' and styles' hashes in the CSP header.

Another approach is to overwrite the Spatie\Csp\Policies\Policy::shouldBeApplied()-function in case Laravel responds with an error:

namespace App\Services\Csp\Policies;

use Illuminate\Http\Request;
use Spatie\Csp;
use Symfony\Component\HttpFoundation\Response;

class MyCustomPolicy extends Csp\Policies\Policy
{
    public function configure()
    {
        // Add directives
    }
    
    public function shouldBeApplied(Request $request, Response $response): bool
    {
        if (config('app.debug') && ($response->isClientError() || $response->isServerError())) {
            return false;
        }

        return parent::shouldBeApplied($request, $response);
    }
}

This approach completely deactivates the CSP and therefore also works if a strict CSP is used.

Testing

You can run all the tests with:

composer test

Changelog

Please see CHANGELOG for more information what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security

If you've found a bug regarding security please mail [email protected] instead of using the issue tracker.

Credits

License

The MIT License (MIT). Please see License File for more information.

More Repositories

1

laravel-permission

Associate users with roles and permissions
PHP
11,600
star
2

laravel-medialibrary

Associate files with Eloquent models
PHP
5,427
star
3

laravel-backup

A package to backup your Laravel app
PHP
5,337
star
4

laravel-activitylog

Log activity inside your Laravel app
PHP
5,316
star
5

browsershot

Convert HTML to an image, PDF or string
PHP
4,434
star
6

laravel-query-builder

Easily build Eloquent queries from API requests
PHP
3,675
star
7

laravel-analytics

A Laravel package to retrieve pageviews and other data from Google Analytics
PHP
2,948
star
8

image-optimizer

Easily optimize images using PHP
PHP
2,450
star
9

async

Easily run code asynchronously
PHP
2,401
star
10

crawler

An easy to use, powerful crawler implemented in PHP. Can execute Javascript.
PHP
2,400
star
11

laravel-responsecache

Speed up a Laravel app by caching the entire response
PHP
2,248
star
12

data-transfer-object

Data transfer objects with batteries included
PHP
2,220
star
13

laravel-translatable

Making Eloquent models translatable
PHP
2,030
star
14

laravel-sitemap

Create and generate sitemaps with ease
PHP
2,011
star
15

dashboard.spatie.be

The source code of dashboard.spatie.be
PHP
1,940
star
16

laravel-fractal

An easy to use Fractal wrapper built for Laravel and Lumen applications
PHP
1,845
star
17

package-skeleton-laravel

A skeleton repository for Spatie's Laravel Packages
PHP
1,714
star
18

period

Complex period comparisons
PHP
1,618
star
19

laravel-collection-macros

A set of useful Laravel collection macros
PHP
1,602
star
20

laravel-newsletter

Manage Mailcoach and MailChimp newsletters in Laravel
PHP
1,570
star
21

checklist-going-live

The checklist that is used when a project is going live
1,489
star
22

laravel-tags

Add tags and taggable behaviour to your Laravel app
PHP
1,454
star
23

opening-hours

Query and format a set of opening hours
PHP
1,340
star
24

schema-org

A fluent builder Schema.org types and ld+json generator
PHP
1,337
star
25

eloquent-sortable

Sortable behaviour for Eloquent models
PHP
1,268
star
26

laravel-cookie-consent

Make your Laravel app comply with the crazy EU cookie law
PHP
1,268
star
27

laravel-data

Powerful data objects for Laravel
PHP
1,240
star
28

laravel-sluggable

An opinionated package to create slugs for Eloquent models
PHP
1,236
star
29

laravel-settings

Store strongly typed application settings
PHP
1,218
star
30

laravel-searchable

Pragmatically search through models and other sources
PHP
1,217
star
31

pdf-to-image

Convert a pdf to an image
PHP
1,207
star
32

laravel-mail-preview

A mail driver to quickly preview mail
PHP
1,171
star
33

once

A magic memoization function
PHP
1,159
star
34

laravel-honeypot

Preventing spam submitted through forms
PHP
1,134
star
35

laravel-image-optimizer

Optimize images in your Laravel app
PHP
1,121
star
36

laravel-google-calendar

Manage events on a Google Calendar
PHP
1,119
star
37

regex

A sane interface for php's built in preg_* functions
PHP
1,097
star
38

laravel-multitenancy

Make your Laravel app usable by multiple tenants
PHP
1,092
star
39

image

Manipulate images with an expressive API
PHP
1,064
star
40

array-to-xml

A simple class to convert an array to xml
PHP
1,056
star
41

laravel-uptime-monitor

A powerful and easy to configure uptime and ssl monitor
PHP
1,020
star
42

db-dumper

Dump the contents of a database
PHP
987
star
43

laravel-webhook-client

Receive webhooks in Laravel apps
PHP
985
star
44

laravel-model-states

State support for models
PHP
968
star
45

laravel-view-models

View models in Laravel
PHP
963
star
46

simple-excel

Read and write simple Excel and CSV files
PHP
930
star
47

laravel-web-tinker

Tinker in your browser
JavaScript
925
star
48

laravel-webhook-server

Send webhooks from Laravel apps
PHP
920
star
49

calendar-links

Generate add to calendar links for Google, iCal and other calendar systems
PHP
904
star
50

laravel-db-snapshots

Quickly dump and load databases
PHP
889
star
51

laravel-mix-purgecss

Zero-config Purgecss for Laravel Mix
JavaScript
887
star
52

laravel-schemaless-attributes

Add schemaless attributes to Eloquent models
PHP
880
star
53

blender

The Laravel template used for our CMS like projects
PHP
879
star
54

fork

A lightweight solution for running code concurrently in PHP
PHP
863
star
55

laravel-schedule-monitor

Monitor scheduled tasks in a Laravel app
PHP
859
star
56

laravel-menu

Html menu generator for Laravel
PHP
854
star
57

phpunit-watcher

A tool to automatically rerun PHPUnit tests when source code changes
PHP
831
star
58

laravel-failed-job-monitor

Get notified when a queued job fails
PHP
826
star
59

laravel-model-status

Easily add statuses to your models
PHP
818
star
60

form-backend-validation

An easy way to validate forms using back end logic
JavaScript
800
star
61

temporary-directory

A simple class to work with a temporary directory
PHP
796
star
62

laravel-feed

Easily generate RSS feeds
PHP
789
star
63

laravel-event-sourcing

The easiest way to get started with event sourcing in Laravel
PHP
772
star
64

enum

Strongly typed enums in PHP supporting autocompletion and refactoring
PHP
769
star
65

laravel-server-monitor

Don't let your servers just melt down
PHP
769
star
66

laravel-package-tools

Tools for creating Laravel packages
PHP
767
star
67

laravel-tail

An artisan command to tail your application logs
PHP
726
star
68

valuestore

Easily store some values
PHP
722
star
69

laravel-health

Check the health of your Laravel app
PHP
719
star
70

geocoder

Geocode addresses to coordinates
PHP
709
star
71

pdf-to-text

Extract text from a pdf
PHP
707
star
72

ssh

A lightweight package to execute commands over an SSH connection
PHP
696
star
73

menu

Html menu generator
PHP
688
star
74

laravel-url-signer

Create and validate signed URLs with a limited lifetime
PHP
685
star
75

ssl-certificate

A class to validate SSL certificates
PHP
675
star
76

laravel-route-attributes

Use PHP 8 attributes to register routes in a Laravel app
PHP
674
star
77

laravel-validation-rules

A set of useful Laravel validation rules
PHP
663
star
78

laravel-pdf

Create PDF files in Laravel apps
PHP
661
star
79

url

Parse, build and manipulate URL's
PHP
659
star
80

laravel-html

Painless html generation
PHP
654
star
81

laravel-event-projector

Event sourcing for Artisans ๐Ÿ“ฝ
PHP
642
star
82

laravel-server-side-rendering

Server side rendering JavaScript in your Laravel application
PHP
636
star
83

vue-tabs-component

An easy way to display tabs with Vue
JavaScript
626
star
84

macroable

A trait to dynamically add methods to a class
PHP
621
star
85

laravel-blade-javascript

A Blade directive to export variables to JavaScript
PHP
618
star
86

laravel-onboard

A Laravel package to help track user onboarding steps
PHP
616
star
87

laravel-cors

Send CORS headers in a Laravel application
PHP
607
star
88

laravel-short-schedule

Schedule artisan commands to run at a sub-minute frequency
PHP
607
star
89

laravel-translation-loader

Store your translations in the database or other sources
PHP
602
star
90

vue-table-component

A straight to the point Vue component to display tables
JavaScript
591
star
91

activitylog

A very simple activity logger to monitor the users of your website or application
PHP
586
star
92

phpunit-snapshot-assertions

A way to test without writing actual testย cases
PHP
584
star
93

http-status-check

CLI tool to crawl a website and check HTTP status codes
PHP
584
star
94

laravel-queueable-action

Queueable actions in Laravel
PHP
584
star
95

ray

Debug with Ray to fix problems faster
PHP
574
star
96

freek.dev

The sourcecode of freek.dev
PHP
571
star
97

server-side-rendering

Server side rendering JavaScript in a PHP application
PHP
568
star
98

string

String handling evolved
PHP
558
star
99

laravel-http-logger

Log HTTP requests in Laravel applications
PHP
538
star
100

laravel-blade-x

Use custom HTML components in your Blade views
PHP
533
star