PHPackages aubes/csp-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. aubes/csp-bundle ActiveSymfony-bundle[Utility & Helpers](/categories/utility) aubes/csp-bundle ================ v1.1.0(2mo ago)175MITPHPPHP >=7.4CI passing Since Apr 20Pushed 2mo ago1 watchersCompare [ Source](https://github.com/aubes/csp-bundle)[ Packagist](https://packagist.org/packages/aubes/csp-bundle)[ RSS](/packages/aubes-csp-bundle/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (2)Dependencies (20)Versions (4)Used By (0) Content Security Policy Bundle ============================== [](#content-security-policy-bundle) [![CI](https://github.com/aubes/csp-bundle/actions/workflows/php.yml/badge.svg)](https://github.com/aubes/csp-bundle/actions/workflows/php.yml/badge.svg) This Symfony bundle provides helper to configure [Content-Security-Policy](https://developer.mozilla.org/fr/docs/Web/HTTP/CSP) headers. It is compatible with : - PHP 7.4 | 8 - Symfony 5.4 | 6 | 7 Installation ------------ [](#installation) ``` composer require aubes/csp-bundle ``` Configuration ------------- [](#configuration) The configuration looks as follows : ``` # config/packages/csp.yaml csp: # Default name is required when multiple group are defined # When only one group is defined, it becomes the default group default_group: ~ # Add default group CSP headers in each response auto_default: false groups: # Name of the policy group default_example: # Use 'Content-Security-Policy-Report-Only' header instead of 'Content-Security-Policy' report_only: false policies: # Use directive name, reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy base-uri: # Internal source are supported, and simple quote are automatically added - self # Constant can be used for internal source - !php/const Aubes\CSPBundle\CSPSource::SELF # Source reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources - 'https://example.com' # Use Php constant instead of directive name !php/const Aubes\CSPBundle\CSPDirective::SCRIPT_SRC: - # Source another_group: # [...] ``` Usage ----- [](#usage) ### Add CSP Headers [](#add-csp-headers) #### Auto default [](#auto-default) If the `auto_default` configuration is enabled, the default group is injected in each response. To disabled CSP on specific route: ``` # config/routes.yaml example_routes: # [...] defaults: _csp_disabled: true ``` #### Manually [](#manually) ``` # config/routes.yaml example_routes: # [...] defaults: _csp_groups: [] # Group list ``` #### Add on the fly directive [](#add-on-the-fly-directive) ``` namespace App\Controller; use Aubes\CSPBundle\CSP; use Aubes\CSPBundle\CSPDirective; use Aubes\CSPBundle\CSPSource;use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; class ExampleController extends AbstractController { public function __invoke(CSP $csp) { $csp->addDirective(CSPDirective::SCRIPT_SRC, CSPSource::UNSAFE_INLINE/*, 'default_example'*/); return $this->render('csp.html.twig'); } } ``` ### Source nonce [](#source-nonce) Twig functions are available to add inline nonceable element `nonce` in your template. #### csp\_nonce [](#csp_nonce) **Arguments**: - **directive**: name of the csp directive # required - **groupName**: Group name, default group is used if not defined - **nonce**: base 64 nonce id ``` // [...] // [...] // [...] ``` #### csp\_script\_nonce [](#csp_script_nonce) **Arguments**: - **groupName**: Group name, default group is used if not defined - **nonce**: base 64 nonce id #### csp\_style\_nonce [](#csp_style_nonce) **Arguments**: - **groupName**: Group name, default group is used if not defined - **nonce**: base 64 nonce id ### Report [](#report) #### Configuration [](#configuration-1) Enable [report-to](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to) in the configuration : ``` # config/packages/csp.yaml csp: groups: default_example: reporting: group_name: ~ # Override the group name # Add report-uri backward compatibility backward_compatibility: false max_age: 3600 endpoints: - # Symfony route ``` #### Build-in controller [](#build-in-controller) A build-in controller can log report (path: `/csp-report/{group}`, name: `csp_report`) To use the build-in controller to log reports : ``` # config/routes.yaml csp: resource: '@CSPBundle/Resources/config/routing.yaml' ``` Add the route in a report : ``` # config/packages/csp.yaml csp: groups: default_example: reporting: # [...] endpoints: - 'csp_route' ``` #### Build-in controller Logger [](#build-in-controller-logger) To configure the Logger of this controller : ``` # config/packages/csp.yaml csp: report_logger: logger_id: ~ # Logger Service Id level: ~ # Log level, default is WARNING ``` ### Health Score 40 — FairBetter than 88% of packages Maintenance86 Actively maintained with recent releases Popularity13 Limited adoption so far Community7 Small or concentrated contributor base Maturity46 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1049 days Total 2 Last Release 75d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/ea8a5dc20b3f1ea0cc24916fd22630838c9f53febedcccc107be8dfc01e095d0?d=identicon)[aubes](/maintainers/aubes) --- Top Contributors [![aubes](https://avatars.githubusercontent.com/u/3941035?v=4)](https://github.com/aubes "aubes (6 commits)") --- Tags bundlecontent-security-policyphpsymfonysymfonybundle ### Code Quality TestsPHPUnit Static AnalysisPsalm Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/aubes-csp-bundle/health.svg) ``` [![Health](https://phpackages.com/badges/aubes-csp-bundle/health.svg)](https://phpackages.com/packages/aubes-csp-bundle) ``` ### Alternatives [pentatrion/vite-bundle Vite integration for your Symfony app 2725.3M13](/packages/pentatrion-vite-bundle)[sulu/sulu Core framework that implements the functionality of the Sulu content management system 1.3k1.3M152](/packages/sulu-sulu)[scheb/2fa Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install) 578630.7k1](/packages/scheb-2fa)[netgen/layouts-core Netgen Layouts enables you to build and manage complex web pages in a simpler way and with less coding. This is the core of Netgen Layouts, its heart and soul. 3689.4k10](/packages/netgen-layouts-core)[netgen/content-browser Netgen Content Browser is a Symfony bundle that provides an interface which selects items from any kind of backend and returns the IDs of selected items back to the calling code. 14112.1k8](/packages/netgen-content-browser)[leapt/core-bundle Symfony LeaptCoreBundle 2529.1k4](/packages/leapt-core-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)