{"id":18897727,"url":"https://github.com/aubes/csp-bundle","last_synced_at":"2026-03-04T21:07:16.534Z","repository":{"id":153599838,"uuid":"629899613","full_name":"aubes/csp-bundle","owner":"aubes","description":"Content Security Policy bundle for Symfony","archived":false,"fork":false,"pushed_at":"2026-03-03T20:36:29.000Z","size":26,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-04T00:14:25.825Z","etag":null,"topics":["bundle","content-security-policy","symfony"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aubes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-19T08:51:15.000Z","updated_at":"2024-01-02T08:51:29.000Z","dependencies_parsed_at":"2023-05-20T09:00:25.596Z","dependency_job_id":null,"html_url":"https://github.com/aubes/csp-bundle","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/aubes/csp-bundle","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aubes%2Fcsp-bundle","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aubes%2Fcsp-bundle/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aubes%2Fcsp-bundle/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aubes%2Fcsp-bundle/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aubes","download_url":"https://codeload.github.com/aubes/csp-bundle/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aubes%2Fcsp-bundle/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30093015,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T20:42:30.420Z","status":"ssl_error","status_checked_at":"2026-03-04T20:42:30.057Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bundle","content-security-policy","symfony"],"created_at":"2024-11-08T08:39:23.700Z","updated_at":"2026-03-04T21:07:16.522Z","avatar_url":"https://github.com/aubes.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Content Security Policy Bundle\n\n![CI](https://github.com/aubes/csp-bundle/actions/workflows/php.yml/badge.svg)\n\nThis Symfony bundle provides helper to configure [Content-Security-Policy](https://developer.mozilla.org/fr/docs/Web/HTTP/CSP) headers.\n\nIt is compatible with :\n * PHP 7.4 | 8\n * Symfony 5.4 | 6 | 7\n\n## Installation\n\n```shell\ncomposer require aubes/csp-bundle\n```\n\n## Configuration\n\nThe configuration looks as follows :\n\n```yaml\n# config/packages/csp.yaml\ncsp:\n    # Default name is required when multiple group are defined\n    # When only one group is defined, it becomes the default group\n    default_group: ~\n\n    # Add default group CSP headers in each response\n    auto_default: false\n\n    groups:\n        # Name of the policy group\n        default_example:\n            # Use 'Content-Security-Policy-Report-Only' header instead of 'Content-Security-Policy'\n            report_only: false\n\n            policies:\n                # Use directive name, reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n                base-uri:\n                    # Internal source are supported, and simple quote are automatically added\n                    - self\n\n                    # Constant can be used for internal source\n                    - !php/const Aubes\\CSPBundle\\CSPSource::SELF\n\n                    # Source reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources\n                    - 'https://example.com'\n\n                # Use Php constant instead of directive name\n                !php/const Aubes\\CSPBundle\\CSPDirective::SCRIPT_SRC:\n                    - # Source\n\n        another_group:\n            # [...]\n```\n\n## Usage\n\n### Add CSP Headers\n\n#### Auto default\n\nIf the `auto_default` configuration is enabled, the default group is injected in each response.\n\nTo disabled CSP on specific route:\n\n```yaml\n# config/routes.yaml\nexample_routes:\n    # [...]\n    defaults:\n        _csp_disabled: true\n```\n\n#### Manually\n\n```yaml\n# config/routes.yaml\nexample_routes:\n    # [...]\n    defaults:\n        _csp_groups: [] # Group list\n```\n\n#### Add on the fly directive\n\n```php\nnamespace App\\Controller;\n\nuse Aubes\\CSPBundle\\CSP;\nuse Aubes\\CSPBundle\\CSPDirective;\nuse Aubes\\CSPBundle\\CSPSource;use Symfony\\Bundle\\FrameworkBundle\\Controller\\AbstractController;\n\nclass ExampleController extends AbstractController\n{\n    public function __invoke(CSP $csp)\n    {\n        $csp-\u003eaddDirective(CSPDirective::SCRIPT_SRC, CSPSource::UNSAFE_INLINE/*, 'default_example'*/);\n\n        return $this-\u003erender('csp.html.twig');\n    }\n}\n```\n\n### Source nonce\n\nTwig functions are available to add inline nonceable element `nonce` in your template.\n\n#### csp_nonce\n\n**Arguments**:\n\n* **directive**: name of the csp directive # required\n* **groupName**: Group name, default group is used if not defined\n* **nonce**: base 64 nonce id\n\n```html\n\u003c!-- templates/example.html.twig --\u003e\n\n\u003c!-- Add a generated nonce on an inline element in the default group --\u003e\n\u003cscript {{ csp_nonce('script-src') }}\u003e\n    // [...]\n\u003c/script\u003e\n\n\u003c!-- Add a generated nonce on an inline element in a specific group --\u003e\n\u003cscript {{ csp_nonce('script-src', 'default_example') }}\u003e\n    // [...]\n\u003c/script\u003e\n\n\u003c!-- Add a base64 custom nonce on an inline element in a specific group --\u003e\n\u003cscript {{ csp_nonce('script-src', 'default_example', 'MTIzNDU2') }}\u003e\n    // [...]\n\u003c/script\u003e\n```\n\n#### csp_script_nonce\n\n**Arguments**:\n\n* **groupName**: Group name, default group is used if not defined\n* **nonce**: base 64 nonce id\n\n#### csp_style_nonce\n\n**Arguments**:\n\n* **groupName**: Group name, default group is used if not defined\n* **nonce**: base 64 nonce id\n\n### Report\n\n#### Configuration\n\nEnable [report-to](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) in the configuration :\n\n```yaml\n# config/packages/csp.yaml\ncsp:\n    groups:\n        default_example:\n            reporting:\n                group_name: ~ # Override the group name\n                \n                # Add report-uri backward compatibility\n                backward_compatibility: false\n                \n                max_age: 3600\n                endpoints:\n                    - # Symfony route\n```\n\n#### Build-in controller\n\nA build-in controller can log report (path: `/csp-report/{group}`, name: `csp_report`)\n\nTo use the build-in controller to log reports :\n\n```yaml\n# config/routes.yaml\ncsp:\n    resource: '@CSPBundle/Resources/config/routing.yaml'\n```\n\nAdd the route in a report :\n\n```yaml\n# config/packages/csp.yaml\ncsp:\n    groups:\n        default_example:\n            reporting:\n                # [...]\n                endpoints:\n                    - 'csp_route'\n```\n\n#### Build-in controller Logger\n\nTo configure the Logger of this controller :\n\n```yaml\n# config/packages/csp.yaml\ncsp:\n    report_logger:\n        logger_id: ~ # Logger Service Id\n        level: ~ # Log level, default is WARNING\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faubes%2Fcsp-bundle","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faubes%2Fcsp-bundle","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faubes%2Fcsp-bundle/lists"}