How do I install spatie/laravel-csp in a Laravel 9/10 project?

Run `composer require spatie/laravel-csp` in your project directory. The package auto-discovers and publishes its config file. No additional setup is required unless you need custom directives or middleware adjustments.

Does this package support Laravel Octane (Swoole/RoadRunner)?

Yes, the package explicitly supports Octane via scoped singletons (introduced in v3.23.1). This ensures thread-safe CSP header generation in high-concurrency environments, but test nonce collisions under load if using dynamic content.

Can I use this package with Livewire or Inertia.js in Octane?

Yes, but dynamic nonces may require extra validation. Ensure Livewire/Inertia scripts are explicitly allowed in your CSP directives (e.g., `script-src 'self' 'nonce-{nonce}'`). Test in Octane’s async context for nonce leakage.

How do I configure CSP directives for a Laravel app?

Edit the `config/csp.php` file published by the package. Define directives like `default-src`, `script-src`, and `style-src` using placeholders like `{nonce}` for dynamic content. Use `csp:directive()` in middleware or controllers for runtime adjustments.

What happens if a CSP violation occurs in Octane?

Violations are logged via Laravel’s default logging system. In Octane, ensure structured logging is configured to capture async worker events. Violations won’t block requests but help audit security risks.

Are there performance tradeoffs for using scoped singletons in non-Octane Laravel?

No, the scoped singleton pattern is backward-compatible with traditional PHP-FPM. It only optimizes nonce generation under concurrent requests, which is irrelevant in single-process environments. No performance impact is expected.

How do I test CSP headers in a Laravel application?

Use browser dev tools (Network tab) to inspect `Content-Security-Policy` headers. For automated testing, assert headers in PHPUnit with `$response->headers->get('Content-Security-Policy')`. Test violation reports with `report-uri` directives.

What Laravel versions does spatie/laravel-csp support?

The package supports Laravel 8+, with explicit Octane compatibility for Laravel 8.60+. Test thoroughly in Laravel 9/10 for framework-level CSP header changes, though no breaking updates are expected.

Can I use this package with a custom middleware stack?

Yes, but ensure the CSP middleware runs at the correct priority. Use `$stack->prepend()` for early execution (e.g., before auth) or `$stack->push()` for later. Conflicts may arise if other middleware modifies headers post-CSP.

What alternatives exist for CSP in Laravel?

Alternatives include manual header injection via `Response::header()` or packages like `league/csp`. However, `spatie/laravel-csp` offers deeper Laravel integration, nonce support, and Octane compatibility out of the box.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Laravel Csp Laravel Package

spatie/laravel-csp

Add Content Security Policy (CSP) headers to your Laravel app with easy configuration and preset policies. Control which scripts, styles, images, and connections are allowed, reduce XSS/data exfiltration risk, and support reporting and nonces.

View on GitHub

Deep Wiki

Context7

Set content security policy headers in a Laravel app

Frequently asked questions about Laravel Csp

How do I install spatie/laravel-csp in a Laravel 9/10 project?: Run `composer require spatie/laravel-csp` in your project directory. The package auto-discovers and publishes its config file. No additional setup is required unless you need custom directives or middleware adjustments.
Does this package support Laravel Octane (Swoole/RoadRunner)?: Yes, the package explicitly supports Octane via scoped singletons (introduced in v3.23.1). This ensures thread-safe CSP header generation in high-concurrency environments, but test nonce collisions under load if using dynamic content.
Can I use this package with Livewire or Inertia.js in Octane?: Yes, but dynamic nonces may require extra validation. Ensure Livewire/Inertia scripts are explicitly allowed in your CSP directives (e.g., `script-src 'self' 'nonce-{nonce}'`). Test in Octane’s async context for nonce leakage.
How do I configure CSP directives for a Laravel app?: Edit the `config/csp.php` file published by the package. Define directives like `default-src`, `script-src`, and `style-src` using placeholders like `{nonce}` for dynamic content. Use `csp:directive()` in middleware or controllers for runtime adjustments.
What happens if a CSP violation occurs in Octane?: Violations are logged via Laravel’s default logging system. In Octane, ensure structured logging is configured to capture async worker events. Violations won’t block requests but help audit security risks.
Are there performance tradeoffs for using scoped singletons in non-Octane Laravel?: No, the scoped singleton pattern is backward-compatible with traditional PHP-FPM. It only optimizes nonce generation under concurrent requests, which is irrelevant in single-process environments. No performance impact is expected.
How do I test CSP headers in a Laravel application?: Use browser dev tools (Network tab) to inspect `Content-Security-Policy` headers. For automated testing, assert headers in PHPUnit with `$response->headers->get('Content-Security-Policy')`. Test violation reports with `report-uri` directives.
What Laravel versions does spatie/laravel-csp support?: The package supports Laravel 8+, with explicit Octane compatibility for Laravel 8.60+. Test thoroughly in Laravel 9/10 for framework-level CSP header changes, though no breaking updates are expected.
Can I use this package with a custom middleware stack?: Yes, but ensure the CSP middleware runs at the correct priority. Use `$stack->prepend()` for early execution (e.g., before auth) or `$stack->push()` for later. Conflicts may arise if other middleware modifies headers post-CSP.
What alternatives exist for CSP in Laravel?: Alternatives include manual header injection via `Response::header()` or packages like `league/csp`. However, `spatie/laravel-csp` offers deeper Laravel integration, nonce support, and Octane compatibility out of the box.

Popularity trends

Recorded values over time (once-a-day snapshots). May 7, 2026 – Jun 5, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

858

Favorites

863

Forks

100

Score

36.9

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 858

+4.3
Forks

input: 100

+3.0
Open issues + PRs

input: 0

+0.0
Releases

input: 35

+10.5
Recency

input: 25

+18.6
Issue opportunity

input: 0

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 36.4

Opportunity

44.0

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

68.2
Contribution need

open_issues + open_prs: 0

0.0
Health factor

archived + recency + open issues

×0.99

Total 43.9

License

MIT

Last release

May 11, 2026

Watchers

Downloads

458K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope

anil/file-picker

broqit/fields-ai