Speaking of Content Security Policy, the folks at Spatie – who else? – have created a Laravel Package to easily take care or your CSP needs in a Laravel-based app.
Even without knowing the inner workings of the packge, the custom Policy
below is easy to understand:
namespace App\Services\Csp;
use Spatie\Csp\Directive;
use Spatie\Csp\Policies\Policy as BasePolicy;
class Policy extends BasePolicy
{
public function configure()
{
$this
->addGeneralDirectives()
->addDirectivesForBootstrap()
->addDirectivesForCarbon()
->addDirectivesForGoogleFonts()
->addDirectivesForGoogleAnalytics()
->addDirectivesForGoogleTagManager()
->addDirectivesForTwitter()
->addDirectivesForYouTube();
}
protected function addGeneralDirectives(): self
{
return $this
->addDirective(Directive::BASE, 'self')
->addNonceForDirective(Directive::SCRIPT)
->addDirective(Directive::SCRIPT, [
'murze.be',
'murze.be.test',
])
->addDirective(Directive::STYLE, [
'murze.be',
'murze.be.test',
'unsafe-inline',
])
->addDirective(Directive::FORM_ACTION, [
'murze.be',
'murze.be.test',
'sendy.murze.be',
])
->addDirective(Directive::IMG, [
'*',
'unsafe-inline',
'data:',
])
->addDirective(Directive::OBJECT, 'none');
}
protected function addDirectivesForBootstrap(): self
{
return $this
->addDirective(Directive::FONT, ['*.bootstrapcdn.com'])
->addDirective(Directive::SCRIPT, ['*.bootstrapcdn.com'])
->addDirective(Directive::STYLE, ['*.bootstrapcdn.com']);
}
protected function addDirectivesForCarbon(): self
{
return $this->addDirective(Directive::SCRIPT, [
'srv.carbonads.net',
'script.carbonads.com',
'cdn.carbonads.com',
]);
}
protected function addDirectivesForGoogleFonts(): self
{
return $this
->addDirective(Directive::FONT, 'fonts.gstatic.com')
->addDirective(Directive::SCRIPT, 'fonts.googleapis.com')
->addDirective(Directive::STYLE, 'fonts.googleapis.com');
}
protected function addDirectivesForGoogleAnalytics(): self
{
return $this->addDirective(Directive::SCRIPT, '*.google-analytics.com');
}
protected function addDirectivesForGoogleTagManager(): self
{
return $this->addDirective(Directive::SCRIPT, '*.googletagmanager.com');
}
protected function addDirectivesForTwitter(): self
{
return $this
->addDirective(Directive::SCRIPT, [
'platform.twitter.com',
'*.twimg.com',
])
->addDirective(Directive::STYLE, [
'platform.twitter.com',
])
->addDirective(Directive::FRAME, [
'platform.twitter.com',
'syndication.twitter.com',
])
->addDirective(Directive::FORM_ACTION, [
'platform.twitter.com',
'syndication.twitter.com',
]);
}
protected function addDirectivesForYouTube(): self
{
return $this->addDirective(Directive::FRAME, '*.youtube.com');
}
}
Using the policy above, Freek’s site now gets an A+ by the aforementioned securityheaders.io service
Using Content Security Policy headers in a Laravel app →laravel-csp
(GitHub) →