Add a Content Security Policy(CSP) to your Web Site with PHP

24 Aug 2011 by in Examples 6 Comments Tags: , ,  

What is Content Security Policy(CSP)?

Content Security Policy(CSP) is a mechanism in the browser that restricts what content will be requested and run by the browser. CSP does this by passing in a specific response header that tells the browser what resources (images, javascript, css, frames, etc) can be requested and accepted to execute. There are multiple ways to setup CSP for your web site, you can use your web server configuration like I showed in a previous example or use a dynamic scripting language like PHP.

Why use PHP to create your Content Security Policy

  • Creating CSP in PHP is extremely dynamic and easy to setup per page policies.
  • Putting CSP in web server’s configuration or .htaccess file is typically all or nothing.
  • Working with a web server’s Directory and File rules are much more cumbersome and difficult to gain the same level of flexibility as PHP.

Difference between the two CSP Headers

  • X-Content-Security-Policy executes only what is in the policy. So if you’re not careful, you could be blocking legitimate resources. If you’re new to CSP, start with the report mode header.
  • X-Content-Security-Policy-Report-Only executes all resources and mainly used to ease your way into CSP by reporting (but not stopping) violating resources.

So, lets see some examples!

Examples of Content Security Policy(CSP) in PHP

Only content from your own domain is allowed.

<?php
header("X-Content-Security-Policy: allow 'self'");
?>

Only content from your own domain and javascript from www.google-analytics.com is acceptable. Anything outside of that will be executed but also a report will be sent back to your domain’s voilation.php.

<?php
header("X-Content-Security-Policy-Report-Only: allow 'self'; script-src www.google-analytics.com; report-uri /violation.php");
?>

Important Links

Documentation of PHP’s Header function
Mozilla’s CSP Definition

written by

The author didn‘t add any Information to his profile yet.
Related Posts
Learn the Linux OpenSCAP by example
Capture Content Security Policy (CSP) Violations in PHP
Secure your WordPress Administration Pages with Apache
Adding HTTP Strict Transport Security (HSTS) to Apache Virtual Host
Adding Content Security Policy (CSP) to Apache Virtual Hosts
  • http://www.phpdeveloper.org/news/16774 PHPDeveloper.org: DashExamples.com: Add a Content Security Policy(CSP) to your Web Site with PHP

    [...] to this other post about content security policies in PHP sites, DashExamples.com has a quick new post about what you'll need to add to your application to implement a policy of your own. Content [...]

  • http://lighting-wholesales.com Manufacturers of lamps for the home

    Many thanks for posting this, It?s simply what I was researching for on bing. I?d lots comparatively hear opinions from a person, barely than an organization web page, that?s why I like blogs so significantly. Many thanks!

  • http://livepaperhelp.com custom writing

    Thank you to sharing helpful information

  • http://www.ittreats.com/os/php/dashexamples-com-add-a-content-security-policycsp-to-your-web-site-with-php.html DashExamples.com: Add a Content Security Policy(CSP) to your Web Site with PHP

    [...] to this other post about content security policies in PHP sites, DashExamples.com has a quick new post about what you’ll need to add to your application to implement a policy of your own. [...]

  • http://sneakerholic.chio-blog.de/ Leonard

    I really learned about a majority of this, but having said that, I still believed it turned out valuable. Good task!

  • http://bestmanspeech383.wikispaces.com/Best+man+speeches-+how+to+enlighten+individuals+with+your+own+speech best man speech examples

    pretty handy details, There’s no doubt that this is certainly going to aid a lot of us

Pages

Categories

Archive

© Copyright - linux.dashexamples.com