Provides support for enforcing Content Security Policy with headers in Laravel responses.
Via Composer
$ composer require stevenmaguire/laravel-middleware-csp// within app/Http/Kernal.php
protected $routeMiddleware = [
//
'secure.content' => \Stevenmaguire\Laravel\Http\Middleware\EnforceContentSecurity::class,
//
];The following will apply all default profiles to the gallery route.
// within app/Http/routes.php
Route::get('gallery', ['middleware' => 'secure.content'], function () {
return 'pictures!';
});The following will apply all default profiles and a specific flickr profile to the gallery route.
// within app/Http/routes.php
Route::get('gallery', ['middleware' => 'secure.content:flickr'], function () {
return 'pictures!';
});The following will apply all default profiles to all methods within the GalleryController.
// within app/Http/Controllers/GalleryController.php
public function __construct()
{
$this->middleware('secure.content');
}The following will apply all default profiles and a specific google profile to all methods within the GalleryController.
// within app/Http/Controllers/GalleryController.php
public function __construct()
{
$this->middleware('secure.content:google');
}You can include any number of specific profiles to any middleware decoration. For instance, the following will apply default, google, flickr, and my_custom profiles to all methods within the GalleryController.
// within app/Http/Controllers/GalleryController.php
public function __construct()
{
$this->middleware('secure.content:google,flickr,my_custom');
}The default location for content security profiles is security.content. If you wish to use this default configuration, ensure your project includes the appropriate configuration files.
The structure of this configuration array is important. The middleware expects to find a default key with a string value and a profiles key with an array value.
// within config/security.php
return [
'content' => [
'default' => '',
'profiles' => [],
],
];The profiles array contains the security profiles for your application. Each profile name must be unique and is expected to have a value of an array.
// within config/security.php
return [
'content' => [
'default' => '',
'profiles' => [
'profile_one' => [],
'profile_two' => [],
'profile_three' => [],
],
],
];Each profile array should contain keys that correspond to Content Security Policy directives. The value of each of these directives can be a string, comma-separated string, or array of strings. Each string value should correspond to the domain associated with your directive and profile.
// within config/security.php
return [
'content' => [
'default' => '',
'profiles' => [
'profile_one' => [
'base-uri' => 'https://domain.com,http://google.com',
],
'profile_two' => [
'font-src' => 'https://domain.com',
'base-uri' => [
"'self'",
'http://google.com'
],
],
'profile_three' => [
'font-src' => [
"'self'"
],
],
],
],
];The default key value should be a string, comma-separated string, or array of strings that correspond to the unique profile names that you would like to enforce on all responses with minimal content security applied.
// within config/security.php
return [
'content' => [
'default' => 'profile_one',
'profiles' => [
'profile_one' => [
'base-uri' => 'https://domain.com,http://google.com',
],
'profile_two' => [
'font-src' => 'https://domain.com',
'base-uri' => [
"'self'",
'http://google.com'
],
],
'profile_three' => [
'font-src' => [
"'self'"
],
],
],
],
];Here is a real-world example:
// within config/security.php
return [
'content' => [
'default' => 'global',
'profiles' => [
'global' => [
'base-uri' => "'self'",
'font-src' => [
"'self'",
'fonts.gstatic.com'
],
'img-src' => "'self'",
'script-src' => "'self'",
'style-src' => [
"'self'",
"'unsafe-inline'",
'fonts.googleapis.com'
],
],
'flickr' => [
'img-src' => [
'https://*.staticflickr.com',
],
],
],
],
];$ ./vendor/bin/phpunitPlease see CONTRIBUTING for details.
The MIT License (MIT). Please see License File for more information.