CSP in PHP
CSP stands for Content Security Policy. It is an additional layer of security. In this case, we will see how to apply CSP in PHP.
CSP allows us to disable the loading of various types of scripts, CSS, files, etc.; as well as enable them.
The main reason for the existence of CSP is to try to prevent Cross Site Scripting (XSS).
Having a CSP on your page will significantly reduce the attack on your website.
Directives
https://blastcoding.com/csp-en-php/#directivesCSP has many directives that we can use, which allow us to define where we are applying a limitation or allowing an action.
The directives determine what procedures or actions will be performed with respect to a given URL.
We can see all the directives at https://content-security-policy.com/
Let’s see the most used directives
default-src
default-src is the predefined directive for (JavaScript, images, CSS, fonts, AJAX requests, frames, HTML5 media). This means that if one of the following directives is not present, default-src will take over (script-src, style-src, img-src, font-src, connect-src, media-src and object-src)
script-src
Define las fuentes de Javascript
style-src
sources for inline styles or CSS
connect-src
sources for XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping>, or EventSource
font-src
fonts source
object-src
Valid source or origin for plugins, such as <object>, <embed>, or <applet>
media-src
Define the origin of videos and audios <audio> and <video>
frame-src
I hesitated to include this since frames are not well-liked, but Google often uses them when we are using one of their APIs, for example Google Maps, Google AdSense, Analytics, or another.
Define the valid origin for loading frames
form-action
restricts the URLs which can be used as the target of form submissions from a given context.
base-uri
Define las urls permitidas para el uso en el atributo src
de una etiqueta HTML.
Tools that can help us create our CSP
https://blastcoding.com/csp-en-php/#toolsTools:
- inspector (herramienta del navegador firefox)
- https://csp-evaluator.appspot.com/ o similar
How to use the inspector:
It’s simple.
- Open the Firefox inspector by right-clicking on the page and selecting “Inspect Element”.
Once the inspector is open, you need to know how to obtain your CSP.
To obtain your CSP:
- Go to the Network tab.
- Reload the page and look for the first GET request in the Network tab.
- Click on the Headers tab.
- In the Headers tab, look for the Content-Security-Policy header and its value.
- Copy the value of the Content-Security-Policy header and paste it into the CSP Evaluator.
The CSP Evaluator will help you to evaluate your CSP header and identify any potential security risks.
Create the CSP in PHP
https://blastcoding.com/csp-en-php/#create_the_cspFor PHP, we can use the header function to create our content security policy (CSP). My recommendation is to put it inside a function and then use it directly in our header. Or, if we are using WordPress, we can use something like:
add_action('wp_headers', 'add_content_security_policy_header',1);
function add_content_security_policy_header() { global $nonce; header("Content-Security-Policy:". "default-src 'self' ". "https://*.web1.com/ ". "https://www.web2.com; ". "script-src ". base()." ". "'nonce-$nonce'; ". "style-src 'self' ". "'unsafe-inline' ". "'nonce-".$nonce."'; ". "img-src 'self' ". "https://* data: ; ". "font-src 'self' ". "data: ". "https://ka-f.fontawesome.com; ". "connect-src 'self' ". "https://www.google-analytics.com ". "https://*.googlesyndication.com/ ". "https://www.google.com/ ". "https://fundingchoicesmessages.google.com ". "https://ka-f.fontawesome.com/; ". "base-uri 'self'; ". ""); }
- A nonce is a random number that is only used once. It is used for inline scripts, since we should not use inline-unsafe but a nonce or a hash.
- If you are using styles, you should use inline-unsafe, nonce does not work for styles.
- The idea of a nonce is that it cannot be known by the attacker, creating a random number can serve as a nonce, the number must be large, do not make small random numbers.
- If you are using a nonce in your project, you must make it unique, remember that PHP has some functions that fulfill this, do not use time as a nonce, that would be a serious error.
- On the other hand, there are also third-party packages that take care of this.