Blog de programación, errores, soluciones

Chose Language:
Author: Admin/Publisher |not finished |not checked

CSP in PHP

CSP stands for Content Security Policy. It is an additional layer of security. In this case, we will see how to apply CSP in PHP.

CSP allows us to disable the loading of various types of scripts, CSS, files, etc.; as well as enable them.

The main reason for the existence of CSP is to try to prevent Cross Site Scripting (XSS).

Having a CSP on your page will significantly reduce the attack on your website.

Directives

https://blastcoding.com/csp-en-php/#directives

CSP has many directives that we can use, which allow us to define where we are applying a limitation or allowing an action.

The directives determine what procedures or actions will be performed with respect to a given URL.

We can see all the directives at https://content-security-policy.com/

Let’s see the most used directives

default-src

default-src is the predefined directive for (JavaScript, images, CSS, fonts, AJAX requests, frames, HTML5 media). This means that if one of the following directives is not present, default-src will take over (script-src, style-src, img-src, font-src, connect-src, media-src and object-src)

script-src

Define las fuentes de Javascript

style-src

sources for inline styles or CSS

connect-src

sources for XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping>, or EventSource

font-src

fonts source

object-src

Valid source or origin for plugins, such as <object>, <embed>, or <applet>

media-src

Define the origin of videos and audios <audio> and <video>

frame-src

I hesitated to include this since frames are not well-liked, but Google often uses them when we are using one of their APIs, for example Google Maps, Google AdSense, Analytics, or another.

Define the valid origin for loading frames

form-action

restricts the URLs which can be used as the target of form submissions from a given context.

base-uri

Define las urls permitidas para el uso en el atributo src de una etiqueta HTML.

Tools that can help us create our CSP

https://blastcoding.com/csp-en-php/#tools

Tools:

  • inspector (herramienta del navegador firefox)
  • https://csp-evaluator.appspot.com/ o similar

How to use the inspector:

It’s simple.

  1. Open the Firefox inspector by right-clicking on the page and selecting “Inspect Element”.

Once the inspector is open, you need to know how to obtain your CSP.

To obtain your CSP:

  1. Go to the Network tab.
  2. Reload the page and look for the first GET request in the Network tab.
  3. Click on the Headers tab.
  4. In the Headers tab, look for the Content-Security-Policy header and its value.
  5. Copy the value of the Content-Security-Policy header and paste it into the CSP Evaluator.

The CSP Evaluator will help you to evaluate your CSP header and identify any potential security risks.

Create the CSP in PHP

https://blastcoding.com/csp-en-php/#create_the_csp

For PHP, we can use the header function to create our content security policy (CSP). My recommendation is to put it inside a function and then use it directly in our header. Or, if we are using WordPress, we can use something like:

add_action('wp_headers', 'add_content_security_policy_header',1);
function add_content_security_policy_header() {
    global $nonce;
	header("Content-Security-Policy:".
	"default-src 'self' ".
		"https://*.web1.com/ ".
		"https://www.web2.com; ".
	"script-src ".
		base()." ".
		"'nonce-$nonce'; ".
	"style-src 'self' ". 
		"'unsafe-inline' ".
		"'nonce-".$nonce."'; ".
	"img-src 'self' ".
		"https://* data: ; ".
	"font-src 'self' ".
		"data: ".
		"https://ka-f.fontawesome.com; ".
	"connect-src 'self' ".
		"https://www.google-analytics.com ".
		"https://*.googlesyndication.com/ ".
		"https://www.google.com/ ".
		"https://fundingchoicesmessages.google.com ".
		"https://ka-f.fontawesome.com/; ".
	"base-uri 'self'; ".
		"");
}
  • A nonce is a random number that is only used once. It is used for inline scripts, since we should not use inline-unsafe but a nonce or a hash.
  • If you are using styles, you should use inline-unsafe, nonce does not work for styles.
  • The idea of a nonce is that it cannot be known by the attacker, creating a random number can serve as a nonce, the number must be large, do not make small random numbers.
  • If you are using a nonce in your project, you must make it unique, remember that PHP has some functions that fulfill this, do not use time as a nonce, that would be a serious error.
  • On the other hand, there are also third-party packages that take care of this.
Category: en-php
Something wrong? If you found an error or mistake in the content you can contact me on Twitter | @luisg2249_luis.
Post info
Author:Luis Gomez Created: 24th Feb 2024 Last Update: 24th Feb 2024
Last 4 post in same category

PHP - Error Handling

HTML5 lazy loading

What are APIs?

How to receive data sent via the POST method in PHP