<?php /** * Copyright 2015, Martijn Croonen. * All rights reserved. * * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php'; use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder; $policy = new ContentSecurityPolicyHeaderBuilder(); // Set the default-src directive to 'none' $policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC, 'none'); // Add a single origin for the script-src directive $policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, 'https://example.com/scripts/'); // Add a single origin for the style-src directive $policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_STYLE_SRC, 'https://example.com/style/'); // Get your CSP headers $headers = $policy->getHeaders(false); foreach ($headers as $header) { header(sprintf('%s: %s', $header['name'], $header['value'])); }
<?php /** * Copyright 2015, Martijn Croonen. * All rights reserved. * * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php'; use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder; $policy = new ContentSecurityPolicyHeaderBuilder(); // Set the default-src directive to 'none' $policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC, 'none'); // Define two source sets $policy->defineSourceSet('my-scripts-cdn', ['https://cdn-scripts1.example.com/scripts/', 'https://cdn-scripts2.example.com/scripts/']); $policy->defineSourceSet('my-style-cdn', ['https://cdn-style1.example.com/css/', 'https://cdn-style2.example.com/css/']); // Add both to a directive $policy->addSourceSet(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, 'my-scripts-cdn'); $policy->addSourceSet(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_STYLE_SRC, 'my-style-cdn'); // Get your CSP headers $headers = $policy->getHeaders(false); foreach ($headers as $header) { header(sprintf('%s: %s', $header['name'], $header['value'])); }
<?php /** * Copyright 2015, Martijn Croonen. * All rights reserved. * * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php'; use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder; $policy = new ContentSecurityPolicyHeaderBuilder(); // Set the script-src directive to 'none' $policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, 'none'); // Enable the browsers xss blocking features $policy->setReflectedXssPolicy(ContentSecurityPolicyHeaderBuilder::REFLECTED_XSS_BLOCK); // Set the 'X-Frame-Options' header $policy->setFrameOptions(ContentSecurityPolicyHeaderBuilder::FRAME_OPTION_SAME_ORIGIN); // Set a report URL $policy->setReportUri('https://example.com/csp/report.php'); // Get your CSP headers $headers = $policy->getHeaders(true); foreach ($headers as $header) { header(sprintf('%s: %s', $header['name'], $header['value'])); }
<?php /** * Copyright 2015, Martijn Croonen. * All rights reserved. * * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php'; use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder; $policy = new ContentSecurityPolicyHeaderBuilder(); // Set the default-src directive to 'none' $policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC, 'none'); $myScriptNonce = 'thisShouldBeRandom'; // Add the nonce to the script-src directive $policy->addNonce(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, $myScriptNonce); $headers = $policy->getHeaders(false); foreach ($headers as $header) { header(sprintf('%s: %s', $header['name'], $header['value'])); }
<?php /** * Copyright 2015, Martijn Croonen. * All rights reserved. * * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php'; use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder; $policy = new ContentSecurityPolicyHeaderBuilder(); // Set the default-src directive to 'none' $policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_DEFAULT_SRC, 'none'); $script = "alert('Hello, world.');"; $policy->addHash(ContentSecurityPolicyHeaderBuilder::HASH_SHA_256, hash(ContentSecurityPolicyHeaderBuilder::HASH_SHA_256, $script, true)); // Get your CSP headers $headers = $policy->getHeaders(false); foreach ($headers as $header) { header(sprintf('%s: %s', $header['name'], $header['value'])); } ?> <html> <body> <!-- Script will work --> <script type="text/javascript"><?php echo $script; ?> </script> </body>
<?php /** * Copyright 2015, Martijn Croonen. * All rights reserved. * * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ include '../src/Phpcsp/Security/ContentSecurityPolicyHeaderBuilder.php'; use Phpcsp\Security\ContentSecurityPolicyHeaderBuilder; $policy = new ContentSecurityPolicyHeaderBuilder(); // Set the script-src directive to 'none' $policy->addSourceExpression(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, 'none'); // Enable the browsers xss blocking features $policy->setReflectedXssPolicy(ContentSecurityPolicyHeaderBuilder::REFLECTED_XSS_BLOCK); // Set a report URL $policy->setReportUri('https://example.com/csp/report.php'); // Get your CSP headers $headers = $policy->getHeaders(false); foreach ($headers as $header) { header(sprintf('%s: %s', $header['name'], $header['value'])); }