PHP Classes

PHP Content Security Policy generator: Generate CSP headers to prevent security attacks

Recommend this page to a friend!
  Info   View files Example   View files View files (13)   DownloadInstall with Composer Download .zip   Reputation   Support forum (2)   Blog    
Ratings Unique User Downloads Download Rankings
StarStarStarStar 77%Total: 699 All time: 4,684 This week: 182Up
Version License PHP version Categories
csp-generator 0.5.3BSD License5.3HTTP, PHP 5, Security
Description 

Author

This class can generate CSP headers to prevent security attacks.

It can check the type of browser accessing the site and generate HTTP response headers according to configuration parameters that can help preventing security attacks like cross-site scripting.

Currently it can set the URL to report CSP violations, the XSS reflected policy directive, the allowed source URLs for images, CSS styles, JavaScript code, plugins, media, font, frame and object tags.

Depending on the browser it can generate the headers Content-Security-Policy, Content-Security-Policy-Report-Only, X-Content-Security-Policy-Report-Only, X-Content-Security-Policy, X-WebKit-CSP-Report-Only, X-WebKit-CSP, X-Frame-Options, and X-XSS-Protection.

Innovation Award
PHP Programming Innovation award nominee
November 2014
Number 5


Prize: One book of choice by Packt
Content Security Policy is a set of conventions that allows application Web servers tell browsers the sources of content that they should allow to load.

The idea is to avoid security attacks like cross-site scripting, caused by content loaded from foreign malicious sources.

This class makes it easier to implement a Content Security Policy for a site running PHP.

It can issue several types of HTTP response headers that define from where PHP Web sites allow to load JavaScript and other types of resources in their pages.

Manuel Lemos
Picture of Tom Postma
  Performance   Level  
Name: Tom Postma <contact>
Classes: 1 package by
Country: The Netherlands The Netherlands
Age: ???
All time rank: 283074 in The Netherlands The Netherlands
Week rank: 312 Up10 in The Netherlands The Netherlands Up
Innovation award
Innovation award
Nominee: 1x

Example

<?php
require_once('../CSPGenerator.php');
// Allow use of style="..." inline CSS.
// Unsafe because a css injection can then control how the page looks.
CSPGenerator::getInstance()->addStylesrc("'unsafe-inline'");
// To avoid this it's recommended to use a stylesheets file instead and use classes and id's only in html.


// Set the headers, always call this method before any content output.
CSPGenerator::getInstance()->Parse();
// Start content output.
?><!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>example1 - allow (unsafe)inline css</title>
    </head>
    <body>
        <!-- The following text is allowed to be centred because 'unsafe-inline' is added the CSP header. -->
        <p style="text-align: center">testing inline css use</p>
    </body>
</html>


Details

CSPGenerator

CSPGenerator is a singleton PHP Class to generate the Content Security Policy HTTP header, and other security HTTP headers related to the Content Security Policy HTTP header supported by the user-agent. The class will take care of sending the supported Content Security Policy HTTP header to the user-agent. E.g. if the user-agent only supports the decreated X-Content-Security-Policy header because the visitor is using a old version of Firefox. The CSPGenerator class will make sure the only sends the X-Content-Security-Policy header with the supported Content Security Policy directives.

how to use the CSPGenerator?

Simply add the following line to the top of your file: require_once('CSPGenerator.php');

Then to generate the default restrictive Content Security Policy HTTP header add the following line just before you sending any content to the client. CSPGenerator::getInstance()->Parse();

To learn more about how to add Content Security Policy directives to relax the default restrictive content security policy see the examples.


  Files folder image Files  
File Role Description
Files folder imageexamples (10 files)
Plain text file CSPGenerator.php Class CSPGenerator class
Accessible without login Plain text file LICENSE Lic. License text
Accessible without login Plain text file README.md Doc. Add readme markdown.

  Files folder image Files  /  examples  
File Role Description
  Accessible without login Plain text file example1.php Example Example: how to allow to use style="" attributes in html.
  Accessible without login Plain text file example2.php Example Example: how to allow to load images of different origin.
  Accessible without login Plain text file example3.js Data Dependency for example3.
  Accessible without login Plain text file example3.php Example Example: how to allow to use ajax requests.
  Accessible without login Plain text file example4.php Example Example: how to use a nonce to allow inline javascript/ECMAScript in page.
  Accessible without login Plain text file example5.php Example Example: how to use a nonce to allow inline CSS in page.
  Accessible without login Plain text file example6.php Example Example: how to calculate and use a hash code to allow inline JavaScript/ECMAScript.
  Accessible without login Plain text file example7.php Example Example: adding the Content Security Policy META tag.
  Accessible without login Plain text file example8.php Example Example: how to add the upgrade-insecure-requests directive (for easy https ready)
  Accessible without login Plain text file example9.php Example require-sri-for demo.

 Version Control Unique User Downloads Download Rankings  
 100%
Total:699
This week:0
All time:4,684
This week:182Up
 User Ratings  
 
 All time
Utility:100%StarStarStarStarStarStar
Consistency:100%StarStarStarStarStarStar
Documentation:83%StarStarStarStarStar
Examples:91%StarStarStarStarStar
Tests:-
Videos:-
Overall:77%StarStarStarStar
Rank:50