| Ratings | | Unique User Downloads | | Download Rankings |
 68% | | Total: 701 | | All time: 4,686 This week: 71 |
|
| Description | | Author |
This class can generate CSP headers to prevent security attacks.
It can check the type of browser accessing the site and generate HTTP response headers according to configuration parameters that can help preventing security attacks like cross-site scripting.
Currently it can set the URL to report CSP violations, the XSS reflected policy directive, the allowed source URLs for images, CSS styles, JavaScript code, plugins, media, font, frame and object tags.
Depending on the browser it can generate the headers Content-Security-Policy, Content-Security-Policy-Report-Only, X-Content-Security-Policy-Report-Only, X-Content-Security-Policy, X-WebKit-CSP-Report-Only, X-WebKit-CSP, X-Frame-Options, and X-XSS-Protection. Innovation Award
November 2014
Number 5
Prize: One book of choice by Packt |
Content Security Policy is a set of conventions that allows application Web servers tell browsers the sources of content that they should allow to load.
The idea is to avoid security attacks like cross-site scripting, caused by content loaded from foreign malicious sources.
This class makes it easier to implement a Content Security Policy for a site running PHP.
It can issue several types of HTTP response headers that define from where PHP Web sites allow to load JavaScript and other types of resources in their pages.
Manuel Lemos |
| |
 |
|
Innovation award
Nominee: 1x |
|
Example
<?php
require_once('../CSPGenerator.php');
// Allow use of style="..." inline CSS.
// Unsafe because a css injection can then control how the page looks.
CSPGenerator::getInstance()->addStylesrc("'unsafe-inline'");
// To avoid this it's recommended to use a stylesheets file instead and use classes and id's only in html.
// Set the headers, always call this method before any content output.
CSPGenerator::getInstance()->Parse();
// Start content output.
?><!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>example1 - allow (unsafe)inline css</title>
</head>
<body>
<!-- The following text is allowed to be centred because 'unsafe-inline' is added the CSP header. -->
<p style="text-align: center">testing inline css use</p>
</body>
</html>
|
Details
CSPGenerator
CSPGenerator is a singleton PHP Class to generate the Content Security Policy HTTP header,
and other security HTTP headers related to the Content Security Policy HTTP header supported by the user-agent.
The class will take care of sending the supported Content Security Policy HTTP header to the user-agent.
E.g. if the user-agent only supports the decreated X-Content-Security-Policy header because the visitor is using a old version of Firefox. The CSPGenerator class will make sure the only sends the X-Content-Security-Policy header with the supported Content Security Policy directives.
how to use the CSPGenerator?
Simply add the following line to the top of your file:
require_once('CSPGenerator.php');
Then to generate the default restrictive Content Security Policy HTTP header
add the following line just before you sending any content to the client.
CSPGenerator::getInstance()->Parse();
To learn more about how to add Content Security Policy directives to relax the default restrictive content security policy see the examples.
| |
Applications that use this package |
|
No pages of applications that use this class were specified.
If you know an application of this package, send a message to the author to add a link here.
Download
Files
Install with Composer
CSPGenerator.php
