承接 spaze/csp-config 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

spaze/csp-config

Composer 安装命令:

composer require spaze/csp-config

包简介

Build Content Security Policy from a config file

README 文档

README

Build Content Security Policy from a config file. Supports different policy per page or module, and snippets you can add dynamically, if needed.

PHP Tests

The library is designed to be usable with any framework (or without one) but comes with a bridge for Nette Framework.

Please note that this library will only build the header value and you still need to send the header yourself!

Installation

The best way to install the library is using Composer:

composer require spaze/csp-config

Nette Framework configuration

If you're using Nette Framework you can add the extension to your config file:

extensions:
    contentSecurityPolicy: Spaze\ContentSecurityPolicy\Bridges\Nette\CspConfigExtension

Example configuration

This is an example configuration, it's here to explain things and it's intentionally incomplete. You can also check the configuration used for my site.

contentSecurityPolicy:
    snippets:
        slideshare:
            child-src:
                - https://www.slideshare.net
    policies:
        *.*:
            default-src: "'none'"
            form-action: "'none'"
            report-uri: https://report-uri.com.example.net
            report-to: default
        www.*.*:
            default-src: "'none'"
            script-src:
                - "'strict-dynamic'"
                - "'nonce'"
                - "'self'"
                - "'report-sample'"
            upgrade-insecure-requests:
        www.trainings.training:
            @extends: www.*.*
            connect-src: https://api.example.com
        admin.*.*:
            @extends: www.*.*
        admin.blog.add:
            @extends: admin.*.*
            connect-src: "'self'"
        admin.blog.edit:
            @extends: admin.blog.add
    policiesReportOnly:
      *.*:
        default-src: "'self'"

Let's explain:

  • snippets This is where you define your snippets. A snippet consists of one or more Content Security Policy directives that can be added to the current Content Security Policy header with the addSnippet(string $snippetName) method like this: $this->contentSecurityPolicy->addSnippet($type); You can use it to add use it to extend your policy when there's a video on the page for example. There are sample snippets in snippets.neon which you can directly include in your configuration if you want.

  • policies Your CSP policies go here. The keys below mean [module.]presenter.action, wildcards are supported.

    • *.* means use these for all presenters and actions. As you can see in the example above, I've used quite restrictive policy and will allow more later on.
    • www.*.* applies to all presenters and actions in the "www" module.
    • @extends: www.*.* this configuration extends the www.*.* configuration, any values specified will be added, or merged. Use it to extend the default policy for some pages or actions. You can disable merging by prefixing the directive name with !, effectively overwriting the extended values, see below.
  • policiesReportOnly Like policies but intended to be used with Content-Security-Policy-Report-Only header, see below.

Policies can contain a few special keys and values:

  • keys with no values, like upgrade-insecure-requests: in the example above, will make the policy header contain just the key name and no values
  • 'nonce' will add a CSP nonce ('nonce-somethingrandomandunique') to the header. Nonces were defined in CSP2 and are used in a recommended policy using CSP3 'strict-dynamic'. For this to work spaze/nonce-generator is needed. It will also return the immutable nonce so you can add it to your <script> tags. This can be nicely automated with spaze/sri-macros.

Overriding values

If you don't want the extended values to be merged with the original values, prefix the directive name in the configuration with an exclamation mark (!). Consider the following simple example configuration:

contentSecurityPolicy:
    policies:
        *.*:
            default-src: "'none'"
        www.*:
            @extends: *.*
            default-src: "'self'"

Calling getHeader('www:...') would then return default-src 'none' 'self' which makes no sense and 'none' would even be ignored.

Change the configuration to this (note the ! prefix in default-src):

contentSecurityPolicy:
    policies:
        *.*:
            default-src: "'none'"
        www.*:
            @extends: *.*
            !default-src: "'self'"

Then calling getHeader('www:...') would return default-src 'self' which is probably what you'd want in this case.

How to send the generated header in Nette Framework

$header = $this->contentSecurityPolicy->getHeader($presenter->getAction(true));
if ($header) {
    $this->httpResponse->setHeader('Content-Security-Policy', $header);
}

You can get $presenter from \Nette\Application\Application like this for example:

/** @var \Nette\Application\UI\Presenter $presenter */
$presenter = $this->application->getPresenter();
$actionName = $presenter->getAction(true);

And get $this->application from dependency injection container:

public function __construct(private \Nette\Application\Application $application)
{
}

If you're in a presenter then you can use $this->getAction(true) instead.

Report-only policy

Use policiesReportOnly configuration key to define policies to use with Content-Security-Policy-Report-Only header:

contentSecurityPolicy:
    policies:
        *.*:
            default-src: "'none'"
    policiesReportOnly:
        *.*:
            default-src: "'self'"

Get the policy by calling getHeaderReportOnly() method:

$header = $this->contentSecurityPolicy->getHeaderReportOnly($presenter->getAction(true));
if ($header) {
    $this->httpResponse->setHeader('Content-Security-Policy-Report-Only', $header);
}

You can send both enforce and report-only policies which is useful for policy upgrades for example:

$header = $this->contentSecurityPolicy->getHeader($presenter->getAction(true));
if ($header) {
    $this->httpResponse->setHeader('Content-Security-Policy', $header);
}
$header = $this->contentSecurityPolicy->getHeaderReportOnly($presenter->getAction(true));
if ($header) {
    $this->httpResponse->setHeader('Content-Security-Policy-Report-Only', $header);
}

spaze/csp-config 适用场景与选型建议

spaze/csp-config 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 3.46k 次下载、GitHub Stars 达 14, 最近一次更新时间为 2016 年 04 月 22 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 spaze/csp-config 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 spaze/csp-config 我们能提供哪些服务?
定制开发 / 二次开发

基于 spaze/csp-config 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 3.46k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 14
  • 点击次数: 28
  • 依赖项目数: 0
  • 推荐数: 2

GitHub 信息

  • Stars: 14
  • Watchers: 3
  • Forks: 2
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2016-04-22