Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
162 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
<?php | ||
|
||
namespace App\Services\Csp\Policies; | ||
|
||
use Spatie\Csp\Directive; | ||
use Spatie\Csp\Keyword; | ||
use Spatie\Csp\Policies\Policy; | ||
use Spatie\Csp\Scheme; | ||
|
||
/** | ||
* Default CSP policy configuration for the application. | ||
* | ||
* @see \Spatie\Csp\Policies\Basic | ||
*/ | ||
class DefaultPolicy extends Policy | ||
{ | ||
public function configure(): void | ||
{ | ||
$this | ||
->addDirective(Directive::BASE, Keyword::SELF) | ||
->addDirective(Directive::CONNECT, Keyword::SELF) | ||
->addDirective(Directive::DEFAULT, Keyword::SELF) | ||
->addDirective(Directive::FORM_ACTION, Keyword::SELF) | ||
->addDirective(Directive::IMG, [Keyword::SELF, Keyword::UNSAFE_INLINE, Scheme::DATA]) | ||
->addDirective(Directive::MEDIA, Keyword::SELF) | ||
->addDirective(Directive::OBJECT, Keyword::NONE) | ||
->addDirective(Directive::SCRIPT, [Keyword::SELF, Keyword::UNSAFE_EVAL, Keyword::UNSAFE_INLINE]) | ||
->addDirective(Directive::STYLE, [Keyword::SELF, Keyword::UNSAFE_INLINE]) | ||
->addDirective(Directive::FRAME, Keyword::NONE); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
<?php | ||
|
||
return [ | ||
|
||
/* | ||
* A policy will determine which CSP headers will be set. A valid CSP policy is | ||
* any class that extends `Spatie\Csp\Policies\Policy` | ||
*/ | ||
'policy' => App\Services\Csp\Policies\DefaultPolicy::class, | ||
|
||
/* | ||
* This policy which will be put in report only mode. This is great for testing out | ||
* a new policy or changes to existing csp policy without breaking anything. | ||
*/ | ||
'report_only_policy' => '', | ||
|
||
/* | ||
* All violations against the policy will be reported to this url. | ||
* A great service you could use for this is https://report-uri.com/ | ||
* | ||
* You can override this setting by calling `reportTo` on your policy. | ||
*/ | ||
'report_uri' => env('CSP_REPORT_URI', ''), | ||
|
||
/* | ||
* Headers will only be added if this setting is set to true. | ||
*/ | ||
'enabled' => env('CSP_ENABLED', true), | ||
|
||
/* | ||
* The class responsible for generating the nonces used in inline tags and headers. | ||
*/ | ||
'nonce_generator' => Spatie\Csp\Nonce\RandomString::class, | ||
]; |