Content Security Policy (CSP)
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
Modern browsers implement CSP, but it needs to be activated by sending them a series of specific headers.
Distantmagic\ provides not only
Content Security Policy (CSP) headers but also some
additional headers recommended by
OWASP's Secure Headers Project.
Usage
Invoking Policies Manually
Some CSP presets are provided by the
Distantmagic\ class. All of them are
deliberately restrictive but enable the usage of Nonces through
Distantmagic\ to enable the controlled use of the
inline code.
You can either send them manually by calling the preset methods:
| Method | Description |
|---|---|
sendContentSecurityPolicyHeader |
Sends restrictive CSP headers that prevent embedding all external resources and block all external requests. |
sendTemplatedPagePolicyHeaders |
Sends headers appropriate for a page that uses HTML templates. |
sendJsonPagePolicyHeaders |
Sends headers appropriate for a page with JSON response. |
Invoking Policies Using Attributes
You can use the #[ContentSecurityPolicy( attribute
in your Responders to attach the
Middleware that sends CSP headers.
Using Nonces
PHP
To use nonces manually, you need to use the CSP Nonce Manager:
php/** * @var \Distantmagic\Resonance\CSPNonceManager $cspNonceManager * @var \Psr\Http\Message\ServerRequestInterface $request */ $cspNonceManager->getRequestNonce($request);
The above method returns a string with CSP Nonce and also adds this Nonce to
the Content Security Headers returned by the HTTP Response.
Twig
Twig integration works the same way as PHP Nonce Manager but can be used
directly in templates without using the CSPNonceManager directly.
Learn more at Twig documentation.