Content Security Policy (CSP)

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.


Modern browsers implement CSP, but it needs to be activated by sending them a series of specific headers.

Distantmagic\Resonance\SecurityPolicyHeaders provides not only Content Security Policy (CSP) headers but also some additional headers recommended by OWASP's Secure Headers Project.


Invoking Policies Manually

Some CSP presets are provided by the Distantmagic\Resonance\SecurityPolicyHeaders class. All of them are deliberately restrictive but enable the usage of Nonces through Distantmagic\Resonance\CSPNonceManager to enable the controlled use of the inline code.

You can either send them manually by calling the preset methods:

Method Description
sendContentSecurityPolicyHeader Sends restrictive CSP headers that prevent embedding all external resources and block all external requests.
sendTemplatedPagePolicyHeaders Sends headers appropriate for a page that uses HTML templates.
sendJsonPagePolicyHeaders Sends headers appropriate for a page with JSON response.

Invoking Policies Using Attributes

You can use the #[ContentSecurityPolicy(ContentSecurityPolicyType)] attribute in your Responders to attach the Middleware that sends CSP headers.

Using Nonces


To use nonces manually, you need to use the CSP Nonce Manager:

/** * @var \Distantmagic\Resonance\CSPNonceManager $cspNonceManager * @var \Psr\Http\Message\ServerRequestInterface $request */ $cspNonceManager->getRequestNonce($request);

The above method returns a string with CSP Nonce and also adds this Nonce to the Content Security Headers returned by the HTTP Response.


Twig integration works the same way as PHP Nonce Manager but can be used directly in templates without using the CSPNonceManager directly.

Learn more at Twig documentation.

Edit on GitHub