<?php
/**
* Copyright 2015, Martijn Croonen.
* All rights reserved.
*
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php';
use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder;
$policy = new ContentSecurityPolicyHeaderBuilder();
// Set the default-src directive to 'none'
$policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC, 'none');
// Add a single origin for the script-src directive
$policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, 'https://example.com/scripts/');
// Add a single origin for the style-src directive
$policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_STYLE_SRC, 'https://example.com/style/');
// Get your CSP headers
$headers = $policy->getHeaders(false);
foreach ($headers as $header) {
header(sprintf('%s: %s', $header['name'], $header['value']));
}
<?php
/**
* Copyright 2015, Martijn Croonen.
* All rights reserved.
*
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php';
use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder;
$policy = new ContentSecurityPolicyHeaderBuilder();
// Set the default-src directive to 'none'
$policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC, 'none');
// Define two source sets
$policy->defineSourceSet('my-scripts-cdn', ['https://cdn-scripts1.example.com/scripts/', 'https://cdn-scripts2.example.com/scripts/']);
$policy->defineSourceSet('my-style-cdn', ['https://cdn-style1.example.com/css/', 'https://cdn-style2.example.com/css/']);
// Add both to a directive
$policy->addSourceSet(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, 'my-scripts-cdn');
$policy->addSourceSet(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_STYLE_SRC, 'my-style-cdn');
// Get your CSP headers
$headers = $policy->getHeaders(false);
foreach ($headers as $header) {
header(sprintf('%s: %s', $header['name'], $header['value']));
}
<?php
/**
* Copyright 2015, Martijn Croonen.
* All rights reserved.
*
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php';
use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder;
$policy = new ContentSecurityPolicyHeaderBuilder();
// Set the script-src directive to 'none'
$policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, 'none');
// Enable the browsers xss blocking features
$policy->setReflectedXssPolicy(ContentSecurityPolicyHeaderBuilder::REFLECTED_XSS_BLOCK);
// Set the 'X-Frame-Options' header
$policy->setFrameOptions(ContentSecurityPolicyHeaderBuilder::FRAME_OPTION_SAME_ORIGIN);
// Set a report URL
$policy->setReportUri('https://example.com/csp/report.php');
// Get your CSP headers
$headers = $policy->getHeaders(true);
foreach ($headers as $header) {
header(sprintf('%s: %s', $header['name'], $header['value']));
}
<?php
/**
* Copyright 2015, Martijn Croonen.
* All rights reserved.
*
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php';
use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder;
$policy = new ContentSecurityPolicyHeaderBuilder();
// Set the default-src directive to 'none'
$policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC, 'none');
$myScriptNonce = 'thisShouldBeRandom';
// Add the nonce to the script-src directive
$policy->addNonce(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, $myScriptNonce);
$headers = $policy->getHeaders(false);
foreach ($headers as $header) {
header(sprintf('%s: %s', $header['name'], $header['value']));
}
<?php
/**
* Copyright 2015, Martijn Croonen.
* All rights reserved.
*
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php';
use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder;
$policy = new ContentSecurityPolicyHeaderBuilder();
// Set the default-src directive to 'none'
$policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC, 'none');
$script = "alert('Hello, world.');";
$policy->addHash(ContentSecurityPolicyHeaderBuilder::HASH_SHA_256, hash(ContentSecurityPolicyHeaderBuilder::HASH_SHA_256, $script, true));
// Get your CSP headers
$headers = $policy->getHeaders(false);
foreach ($headers as $header) {
header(sprintf('%s: %s', $header['name'], $header['value']));
}
?>
<html>
<body>
<!-- Script will work -->
<script type="text/javascript"><?php
echo $script;
?>
</script>
</body>
<?php
/**
* Copyright 2015, Martijn Croonen.
* All rights reserved.
*
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php';
use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder;
$policy = new ContentSecurityPolicyHeaderBuilder();
// Set the script-src directive to 'none'
$policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, 'none');
// Enable the browsers xss blocking features
$policy->setReflectedXssPolicy(ContentSecurityPolicyHeaderBuilder::REFLECTED_XSS_BLOCK);
// Set a report URL
$policy->setReportUri('https://example.com/csp/report.php');
// Get your CSP headers
$headers = $policy->getHeaders(false);
foreach ($headers as $header) {
header(sprintf('%s: %s', $header['name'], $header['value']));
}
