Skip to content
This repository has been archived by the owner on Jan 15, 2019. It is now read-only.

Content Security Policy plugin for Phalcon Framework

Notifications You must be signed in to change notification settings

eugene-manuilov/phalcon-csp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Content Security Policy for Phalcon Framework

This plugin allows you to add CSP policies to your Phalcon based website. Content Security Policy (CSP) is a security standard to prevent cross-site scripting (XSS), clickjacking and other code injection attacks. Take a look at An Introduction to Content Security Policy article for more details.

Installation

Just use composer to install it:

$ composer require eugene-manuilov/phalcon-csp

Usage

To use CSP plugin in your site you just need to add it to the dependency injection container and register it as event listener for dispatcher events.

<?php

use Phalcon\Plugin\CSP\ContentSecurityPolicy;

// register CSP service
$di->set( 'csp', function() {
    $csp = new ContentSecurityPolicy();
	return $csp;
}, true );

// register application and add CSP to event manager
try {
    $csp = $di->getShared( 'csp' );

    $eventsManager = new \Phalcon\Events\Manager();
    $eventsManager->attach( 'application:beforeSendResponse', $csp );

    $application = new Application($di);
    $application->setEventsManager( $eventsManager );

    $response = $application->handle();
    $response->send();
} catch (\Exception $e) {
    echo $e->getMessage();
}

Now all your policies will be compiled into Content-Security-Policy header and added to the response instance. To add a new policy you need to call addPolicy() function which accepts policy name and a value:

<?php

use Phalcon\Plugin\CSP\ContentSecurityPolicy as CSP;

class IndexController extends \Phalcon\Mvc\Controller {

    public function indexAction() {
        // whitelist Google fonts origin
        $this->csp->addPolicy( CSP::DIRECTIVE_FONT_SRC, 'https://fonts.gstatic.com' );
    }

}

If you want to specify report URL which will be used to report all violations, then you need to call setReportURI() function.

$di->set( 'csp', function() {
    $csp = new ContentSecurityPolicy();
    $csp->setReportURI( '/path/to/report/endpoint' );

	return $csp;
}, true );

Using Content Security Policy header you can also tell browsers that you want to upgrade all insecure requests to use its secure versions. To do it you need to use setUpgradeInsecureRequests() function.

$di->set( 'csp', function() {
    $csp = new ContentSecurityPolicy();
    $csp->setUpgradeInsecureRequests();

	return $csp;
}, true );

Assets Manager

This plugin also provides assets manager class which extends standard assets manager class and automatically gathers origins of scripts and styles added with it. It also generates nonces for inline scripts and styles.

<?php

$di->set( 'assets', function() {
    $manager = new \Phalcon\Plugin\CSP\Assets\Manager();

	return $manager;
}, true );

Later on you can use it as standard assets manager class to add you scripts and styles files as well as inline blocks.