Add CSP policy to all responses

.phpstorm.meta.php

@@ -80,6 +80,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,
@@ -294,6 +295,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,
@@ -508,6 +510,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,
@@ -722,6 +725,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,
@@ -936,6 +940,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,
@@ -1150,6 +1155,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,
@@ -1364,6 +1370,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,
@@ -1578,6 +1585,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,
@@ -1792,6 +1800,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,
@@ -2006,6 +2015,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,
@@ -2220,6 +2230,7 @@
             'NunoMaduro\Collision\Contracts\Provider' => \NunoMaduro\Collision\Provider::class,
             'Psr\Http\Message\ResponseInterface' => \Nyholm\Psr7\Response::class,
             'Psr\Http\Message\ServerRequestInterface' => \Nyholm\Psr7\ServerRequest::class,
+            'Spatie\Csp\Nonce\NonceGenerator' => \Spatie\Csp\Nonce\RandomString::class,
             'Spatie\MediaLibrary\MediaCollections\Filesystem' => \Spatie\MediaLibrary\MediaCollections\Filesystem::class,
             'Spatie\MediaLibrary\MediaCollections\MediaRepository' => \Spatie\MediaLibrary\MediaCollections\MediaRepository::class,
             'Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\TinyPlaceholderGenerator' => \Spatie\MediaLibrary\ResponsiveImages\TinyPlaceholderGenerator\Blurred::class,

app/Http/Kernel.php

@@ -31,6 +31,7 @@ class Kernel extends HttpKernel
             \Illuminate\View\Middleware\ShareErrorsFromSession::class,
             \App\Http\Middleware\VerifyCsrfToken::class,
             \Illuminate\Routing\Middleware\SubstituteBindings::class,
+            \Spatie\Csp\AddCspHeaders::class,
         ],
 
         'api' => [

app/Services/Csp/Policies/DefaultPolicy.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Services\Csp\Policies;
+
+use Spatie\Csp\Directive;
+use Spatie\Csp\Keyword;
+use Spatie\Csp\Policies\Policy;
+use Spatie\Csp\Scheme;
+
+/**
+ * Default CSP policy configuration for the application.
+ *
+ * @see \Spatie\Csp\Policies\Basic
+ */
+class DefaultPolicy extends Policy
+{
+    public function configure(): void
+    {
+        $this
+            ->addDirective(Directive::BASE, Keyword::SELF)
+            ->addDirective(Directive::CONNECT, Keyword::SELF)
+            ->addDirective(Directive::DEFAULT, Keyword::SELF)
+            ->addDirective(Directive::FORM_ACTION, Keyword::SELF)
+            ->addDirective(Directive::IMG, [Keyword::SELF, Keyword::UNSAFE_INLINE, Scheme::DATA])
+            ->addDirective(Directive::MEDIA, Keyword::SELF)
+            ->addDirective(Directive::OBJECT, Keyword::NONE)
+            ->addDirective(Directive::SCRIPT, [Keyword::SELF, Keyword::UNSAFE_EVAL, Keyword::UNSAFE_INLINE])
+            ->addDirective(Directive::STYLE, [Keyword::SELF, Keyword::UNSAFE_INLINE])
+            ->addDirective(Directive::FRAME, Keyword::NONE);
+    }
+}

composer.json

@@ -25,6 +25,7 @@
         "laravel/tinker": "^2.5",
         "league/flysystem-aws-s3-v3": "~1.0",
         "phospr/fraction": "^1.2",
+        "spatie/laravel-csp": "^2.6",
         "spatie/laravel-medialibrary": "^9.0.0",
         "spatie/laravel-tags": "^3.0"
     },

config/csp.php

@@ -0,0 +1,34 @@
+<?php
+
+return [
+
+    /*
+     * A policy will determine which CSP headers will be set. A valid CSP policy is
+     * any class that extends `Spatie\Csp\Policies\Policy`
+     */
+    'policy' => App\Services\Csp\Policies\DefaultPolicy::class,
+
+    /*
+     * This policy which will be put in report only mode. This is great for testing out
+     * a new policy or changes to existing csp policy without breaking anything.
+     */
+    'report_only_policy' => '',
+
+    /*
+     * All violations against the policy will be reported to this url.
+     * A great service you could use for this is https://report-uri.com/
+     *
+     * You can override this setting by calling `reportTo` on your policy.
+     */
+    'report_uri' => env('CSP_REPORT_URI', ''),
+
+    /*
+     * Headers will only be added if this setting is set to true.
+     */
+    'enabled' => env('CSP_ENABLED', true),
+
+    /*
+     * The class responsible for generating the nonces used in inline tags and headers.
+     */
+    'nonce_generator' => Spatie\Csp\Nonce\RandomString::class,
+];