Middleware to add the Content-Security-Policy header to the response using paragonie/csp-builder library.

• PHP >= 7.2
• A PSR-7 http library
• A PSR-15 middleware dispatcher

This package is installable and autoloadable via Composer as middlewares/csp.

composer require middlewares/csp

use ParagonIE\CSPBuilder\CSPBuilder;
$csp = CSPBuilder::fromFile('/path/to/source.json');
Dispatcher::run([
    new Middlewares\Csp($csp)
]);

Set the CSP builder to the constructor. See paragonie/csp-builder for more info. If it's not provided, create a generic one with restrictive directives.

To generate legacy CSP headers for old browsers (X-Content-Security-Policy and X-Webkit-CSP). By default is true but you can disabled it:

$middleware = (new Middlewares\Csp($csp))->legacy(false);

Shortcut to create instances using a json file:

Dispatcher::run([
    Middlewares\Csp::createFromFile(__DIR__.'/csp-config.json')
]);

Shortcut to create instances using an array with data:

Dispatcher::run([
    Middlewares\Csp::createFromData([
        'script-src' => ['self' => true],
        'object-src' => ['self' => true],
        'frame-ancestors' => ['self' => true],
    ])
]);

Please see CHANGELOG for more information about recent changes and CONTRIBUTING for contributing details.

The MIT License (MIT). Please see LICENSE for more information.