Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/decodelabs/sanctum
Define and deploy Content Security Policies in your PHP application
https://github.com/decodelabs/sanctum
content-security-policy csp php
Last synced: 1 day ago
JSON representation
Define and deploy Content Security Policies in your PHP application
- Host: GitHub
- URL: https://github.com/decodelabs/sanctum
- Owner: decodelabs
- License: mit
- Created: 2022-08-26T09:38:57.000Z (over 2 years ago)
- Default Branch: develop
- Last Pushed: 2024-09-04T21:28:35.000Z (4 months ago)
- Last Synced: 2024-12-25T19:14:13.600Z (15 days ago)
- Topics: content-security-policy, csp, php
- Language: PHP
- Homepage:
- Size: 41 KB
- Stars: 2
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
# Sanctum
[](https://packagist.org/packages/decodelabs/sanctum)
[](https://packagist.org/packages/decodelabs/sanctum)
[](https://packagist.org/packages/decodelabs/sanctum)
[](https://github.com/decodelabs/sanctum/actions/workflows/integrate.yml)
[](https://github.com/phpstan/phpstan)
[](https://packagist.org/packages/decodelabs/sanctum)
### Content Security Policies for your PHP application.
Sanctum allows you to create and deploy Content Security Policies with ease. Take the guesswork out of this important security feature.
_Get news and updates on the [DecodeLabs blog](https://blog.decodelabs.com)._
---
## Installation
```bash
composer require decodelabs/sanctum
```
## Usage
Create your definition:
```php
use DecodeLabs\Sanctum\Definition;
class MyCsp extends Definition {
// These items can be reused in other directives
const SharedSrc = [
'@self', // Resolves to 'self'
'*.myotherdomain.com'
];
// These items create the default-src directive
const DefaultSrc = [
'@shared-src', // Import items from SharedSrc
];
// These define script sources
const ScriptSrc = [
'@nonce', // Creates a unique nonce to be used in markup
'@unsafe-inline', // Resolves to 'unsafe-inline'
'@strict-dynamic',
'@https',
'@http'
];
// These define image sources
const ImgSrc = [
'@shared', // Import items from SharedSrc
'@data', // Resolves to data: for data URLs
'*.myimagecdn.net',
'!*.myotherdomain.com' // Exclude importing from SharedSrc
];
// Report endpoint
const ReportUri = 'https://mydomain.com/report';
}
```
Please see https://content-security-policy.com/ for a full list of directives.
Then in your HTTP handler:
```php
$csp = new MyCsp();
foreach($csp->exportHeaders() as $header => $value) {
$response->setHeader($header, $value);
}
/*
Reporting-Endpoints => sanctum-csp-report="https://mydomain.com/report"
Content-Security-Policy =>
default-src 'self' *.myotherdomain.com;
script-src nonce-98b88fa48f23911d6fc1f5092efb2e36d76423ce4f5d7ef42765a2c2501d57c9' 'unsafe-inline' 'strict-dynamic' https: http:;
img-src 'self' data: *.myimagecdn.net;
report-uri https://mydomain.com/report;
report-to sanctum-csp-report
*/
```
### Hashes
Make use of the hash feature for scripts - see https://content-security-policy.com/hash/ for explanation
```php
/*
HTML:
doSomething();
*/
$script = 'doSomething();'; // Your JS
// Adds sha256-xxx hash to CSP directive
$hash = $csp->hashContent($script, 'script-src');
```
## Archetype loader
Sanctum also provides an optional [Archetype](https://github.com/decodelabs/archetype) loader:
```php
namespace DecodeLabs\Sanctum\Definition;
use DecodeLabs\Sanctum\Definition;
class MyCsp extends Definition {}
$csp = Definition::load('MyCsp');
$csp->exportHeaders();
```
Archetype will look for implementations in the root namespace (DecodeLabs\Sanctum\Definition) by default. If you want to host your implementations in a different namespace, you should create and register a new [Archetype resolver](https://github.com/decodelabs/archetype) to find them.
## Licensing
Sanctum is licensed under the MIT License. See [LICENSE](./LICENSE) for the full license text.