Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Csp Bundle
Assessments

Csp Bundle Laravel Package

aubes/csp-bundle

View on GitHub
Deep Wiki
Context7 
## Getting Started
### Minimal Setup for v2.0.0
1. **Update dependencies** in `composer.json`:
   ```json
   {
     "require": {
       "php": "^8.2",
       "symfony/framework-bundle": "^6.4|^7.4|^8.0",
       "aubes/csp-bundle": "^2.0"
     }
   }

Run composer update.

  1. Configure basic CSP in config/packages/aubes_csp.yaml:

    groups:
  default:
    enabled: true
    mode: enforce
    directives:
      default-src: "'self'"
      script_src: "'self'"

  2. First use case: Enable the bundle in config/bundles.php and run migrations if using the report logger:

    return [
    // ...
    Aubes\CSPBundle\AubesCSPBundle::class => ['all' => true],
];

  3. Verify installation with the new audit command:

    php bin/console csp:check

Implementation Patterns

Core Workflows

1. Preset-Based Configuration

Leverage built-in presets (strict, permissive, api) as a starting point:

# config/packages/aubes_csp.yaml
groups:
  api:
    preset: api  # Auto-configures safe API defaults
    enabled: true
    mode: enforce

2. Attribute-Driven Routing

Use PHP attributes for dynamic CSP groups:

use Aubes\CSPBundle\Attribute\CSPGroup;

#[CSPGroup('admin')]
class AdminController extends AbstractController {
    // All methods inherit the 'admin' group
}

#[CSPGroup('public')]
#[Route('/public', name: 'public_')]
class PublicController extends AbstractController {
    #[CSPDisabled] // Disable CSP for this method
    public function legacyEndpoint() { ... }
}

3. Twig Integration

Automate nonce generation for scripts/styles:

{# config/packages/aubes_csp.yaml #}
groups:
  default:
    directives:
      script_src: "'self' csp_nonce()"

{# templates/base.html.twig #}
{% csp_script %}
  const script = document.createElement('script');
  script.src = '/dynamic-script.js';
  document.body.appendChild(script);
{% end_csp_script %}

4. Violation Handling

Subscribe to CSPViolationEvent for custom logging:

// src/EventListener/CSPViolationListener.php
use Aubes\CSPBundle\Event\CSPViolationEvent;
use Symfony\Component\EventDispatcher\Attribute\AsEventListener;

#[AsEventListener(event: CSPViolationEvent::class)]
public function onCSPViolation(CSPViolationEvent $event): void {
    $this->logger->error('CSP Violation', [
        'violation' => $event->getViolation(),
        'group' => $event->getGroupName(),
    ]);
}

5. Multi-Group Strategies

Combine enforcing and report-only groups per request:

groups:
  enforcing:
    mode: enforce
    directives:
      script_src: "'self'"
  reporting:
    mode: report-only
    directives:
      script_src: "'unsafe-inline'" # Track violations only

Apply groups in controllers:

use Aubes\CSPBundle\CSP;

public function dashboard(CSP $csp): Response {
    $csp->applyGroups(['enforcing', 'reporting']);
    return $this->render('dashboard.html.twig');
}

Integration Tips

  1. Symfony Profiler: Enable the Web Debug Toolbar panel for real-time CSP inspection (requires symfony/web-profiler-bundle).

  2. FrankenPHP/RoadRunner: Use the ResetInterface implementation to clear CSP state between requests:

    $csp = app(CSP::class);
$csp->reset(); // Clears all groups

  3. Hash-Based CSP: Generate hashes for inline scripts/styles:

    {% set scriptHash = csp_hash('alert("Hello")', 'sha256') %}
<script nonce="{{ csp_nonce() }}">alert("Hello")</script>

    # config/packages/aubes_csp.yaml
groups:
  default:
    directives:
      script_src: "'self' {{ scriptHash }}"

  4. Reporting Endpoints: Configure modern Reporting-Endpoints alongside legacy Report-To:

    reporting_endpoints:
  my_endpoint:
    url: "https://your-reporting-endpoint.com/report"
    group: "default"
backward_compatibility: true

Gotchas and Tips

Breaking Changes

  1. Directive Naming: YAML config now uses underscores (script_src instead of script-src). Update all config files.

  2. Nonce Encoding: Nonces are now base64 (was hex). If storing/reading nonces directly (e.g., in cookies), decode them:

    $hexNonce = base64_decode($base64Nonce); // Reverse if needed

  3. Report Controller: The ReportController no longer accepts LoggerInterface. Extend it by dispatching CSPViolationEvent:

    use Aubes\CSPBundle\Event\CSPViolationEvent;
use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;

public function __construct(
    private EventDispatcherInterface $dispatcher
) {}

public function report(CSPReport $report): void {
    $event = new CSPViolationEvent($report, 'default');
    $this->dispatcher->dispatch($event);
}

  4. Group Conflicts: CSP::addGroup() throws InvalidArgumentException if the group exists. Use CSP::setGroup() to overwrite:

    $csp->setGroup('admin', $newPolicy); // Replaces existing group

  5. Multi-Group Constraints: A request can have only one enforcing group and one report-only group. Mixing modes throws LogicException:

    $csp->applyGroups(['enforce_group', 'report_group']); // Valid
$csp->applyGroups(['enforce_group1', 'enforce_group2']); // Throws LogicException

Debugging Tips

  1. Debug Mode: Enable debug: true in config to force all groups into report-only mode (no enforcement):

    debug: true

  2. Audit Command: Run php bin/console csp:check to detect:

    • Missing directives (e.g., base-uri).
    • Unsafe sources ('unsafe-inline', *).
    • Wildcards in sensitive directives (script-src, style-src).

  3. Profiler Panel: Use the Symfony profiler to inspect:

    • Applied CSP headers.
    • Nonce values.
    • Reported violations.

  4. Twig Nonce Resolution: Nonces in Twig are automatically added to all active groups. If a script/style fails, verify:

    • The group is applied ($csp->applyGroups()).
    • The directive includes csp_nonce() (e.g., `script_src: "'self' csp_nonce()").

Extension Points

  1. Custom Presets: Extend presets by creating a compiler pass:

    use Aubes\CSPBundle\DependencyInjection\Compiler\PresetPass;

public function process(ContainerBuilder $container): void {
    $container->addCompilerPass(new PresetPass([
        'custom_preset' => [
            'directives' => [
                'default-src' => "'self' https://cdn.example.com",
            ],
        ],
    ]));
}

  2. Custom Violation Handlers: Subscribe to CSPViolationEvent to:

    • Log to Sentry: Sentry\captureException($event->getViolation()->getException()).
    • Store in database: ViolationRepository::save($event->getViolation()).

  3. Dynamic Directives: Override directives at runtime:

    $csp->getGroup('default')->setDirective('script_src', "'self' csp_nonce()");

  4. Custom Sources: Extend CSPSource enum for domain-specific sources:

    enum CustomSource implements CSPSource {
    case API_ENDPOINT;
    public function getValue(): string { return "'self' https://api.example.com"; }
}

Common Pitfalls

  1. Forgetting to Apply Groups: CSP policies are not applied automatically. Always call:

    $csp->applyGroups(['default']);

    in your controller/middleware.

  2. Overusing unsafe-inline: The audit command flags this as a security risk. Use `csp

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
jayeshmepani/jpl-moshier-ephemeris-php
elnasnato/laraliveui
labrodev/rest-sdk
sampaui/sampaui
babelqueue/php-sdk
facebook/capi-param-builder-php
babelqueue/symfony
hamzi/corewatch
minionfactory/raw-hydrator
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle