PHPackages decodelabs/sanctum - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. decodelabs/sanctum ActiveLibrary[HTTP & Networking](/categories/http) decodelabs/sanctum ================== Define and deploy Content Security Policies in your PHP application v0.4.1(7mo ago)21.4kMITPHPPHP ^8.4CI passing Since Aug 26Pushed 5mo ago2 watchersCompare [ Source](https://github.com/decodelabs/sanctum)[ Packagist](https://packagist.org/packages/decodelabs/sanctum)[ RSS](/packages/decodelabs-sanctum/feed)WikiDiscussions develop Synced 1mo ago READMEChangelog (10)Dependencies (7)Versions (16)Used By (0) Sanctum ======= [](#sanctum) [![PHP from Packagist](https://camo.githubusercontent.com/ba0e6fcce61513d077c9a5eb64ae7ae7aa18592bbfeb97f6a75db7e80a838a66/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f6465636f64656c6162732f73616e6374756d3f7374796c653d666c6174)](https://packagist.org/packages/decodelabs/sanctum)[![Latest Version](https://camo.githubusercontent.com/fdb5d11610f3a7e3cc336691b86bcfbd01b0574744e21b03c5379006a0673069/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6465636f64656c6162732f73616e6374756d2e7376673f7374796c653d666c6174)](https://packagist.org/packages/decodelabs/sanctum)[![Total Downloads](https://camo.githubusercontent.com/b7647387449bc7b19ede913d39ed64d13b17fe8530dc2033a75c287ceab407ad/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6465636f64656c6162732f73616e6374756d2e7376673f7374796c653d666c6174)](https://packagist.org/packages/decodelabs/sanctum)[![GitHub Workflow Status](https://camo.githubusercontent.com/42cbdea847c427ae64fbd5f3f494f04b7e479a817ca541b2f70f52fb872590ee/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6465636f64656c6162732f73616e6374756d2f696e746567726174652e796d6c3f6272616e63683d646576656c6f70)](https://github.com/decodelabs/sanctum/actions/workflows/integrate.yml)[![PHPStan](https://camo.githubusercontent.com/e25c14ce011edabdd0fbd2e10415b41cc5d66ed11ef3e5b7edd074c5bdd35a2d/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d656e61626c65642d3434434331312e7376673f6c6f6e6743616368653d74727565267374796c653d666c6174)](https://github.com/phpstan/phpstan)[![License](https://camo.githubusercontent.com/b18da2b94e2e598ea465404f27fb952a5dfca3367c46a31c956113ed775acdcb/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6465636f64656c6162732f73616e6374756d3f7374796c653d666c6174)](https://packagist.org/packages/decodelabs/sanctum) ### Content Security Policies for your PHP application. [](#content-security-policies-for-your-php-application) Sanctum allows you to create and deploy Content Security Policies with ease. Take the guesswork out of this important security feature. --- Installation ------------ [](#installation) This package requires PHP 8.4 or higher. Install via Composer: ``` composer require decodelabs/sanctum ``` Usage ----- [](#usage) Create your definition: ``` use DecodeLabs\Sanctum\Definition; class MyCsp extends Definition { // These items can be reused in other directives const SharedSrc = [ '@self', // Resolves to 'self' '*.myotherdomain.com' ]; // These items create the default-src directive const DefaultSrc = [ '@shared-src', // Import items from SharedSrc ]; // These define script sources const ScriptSrc = [ '@nonce', // Creates a unique nonce to be used in markup '@unsafe-inline', // Resolves to 'unsafe-inline' '@strict-dynamic', '@https', '@http' ]; // These define image sources const ImgSrc = [ '@shared', // Import items from SharedSrc '@data', // Resolves to data: for data URLs '*.myimagecdn.net', '!*.myotherdomain.com' // Exclude importing from SharedSrc ]; // Report endpoint const ReportUri = 'https://mydomain.com/report'; } ``` Please see for a full list of directives. Then in your HTTP handler: ``` $csp = new MyCsp(); foreach($csp->exportHeaders() as $header => $value) { $response->setHeader($header, $value); } /* Reporting-Endpoints => sanctum-csp-report="https://mydomain.com/report" Content-Security-Policy => default-src 'self' *.myotherdomain.com; script-src nonce-98b88fa48f23911d6fc1f5092efb2e36d76423ce4f5d7ef42765a2c2501d57c9' 'unsafe-inline' 'strict-dynamic' https: http:; img-src 'self' data: *.myimagecdn.net; report-uri https://mydomain.com/report; report-to sanctum-csp-report */ ``` ### Hashes [](#hashes) Make use of the hash feature for scripts - see for explanation ``` /* HTML: doSomething(); */ $script = 'doSomething();'; // Your JS // Adds sha256-xxx hash to CSP directive $hash = $csp->hashContent($script, 'script-src'); ``` Archetype loader ---------------- [](#archetype-loader) Sanctum also provides an optional [Archetype](https://github.com/decodelabs/archetype) loader: ``` namespace DecodeLabs\Sanctum\Definition; use DecodeLabs\Sanctum\Definition; class MyCsp extends Definition {} $csp = Definition::load('MyCsp'); $csp->exportHeaders(); ``` Archetype will look for implementations in the root namespace (`DecodeLabs\Sanctum\Definition`) by default. If you want to host your implementations in a different namespace, you should create and register a new [Archetype resolver](https://github.com/decodelabs/archetype) to find them. Licensing --------- [](#licensing) Sanctum is licensed under the MIT License. See [LICENSE](./LICENSE) for the full license text. ### Health Score 42 — FairBetter than 90% of packages Maintenance68 Regular maintenance activity Popularity17 Limited adoption so far Community8 Small or concentrated contributor base Maturity62 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~87 days Recently: every ~29 days Total 14 Last Release 226d ago PHP version history (3 changes)v0.1.0PHP ^8.0 v0.1.5PHP ^8.1 v0.3.0PHP ^8.4 ### Community Maintainers ![](https://www.gravatar.com/avatar/8a241d64d12b3b5ee94197862ec1ec30b82ed2efa34a0cd7f4c3565a021daddd?d=identicon)[betterthanclay](/maintainers/betterthanclay) --- Top Contributors [![betterthanclay](https://avatars.githubusercontent.com/u/1273586?v=4)](https://github.com/betterthanclay "betterthanclay (79 commits)") --- Tags content-security-policycspphphttpcspcontent-security-policyPolicy ### Embed Badge ![Health badge](/badges/decodelabs-sanctum/health.svg) ``` [![Health](https://phpackages.com/badges/decodelabs-sanctum/health.svg)](https://phpackages.com/packages/decodelabs-sanctum) ``` ### Alternatives [guzzlehttp/psr7 PSR-7 message implementation that also provides common utility methods 8.0k1.0B3.2k](/packages/guzzlehttp-psr7)[paragonie/csp-builder Easily add and update Content-Security-Policy headers for your project 5412.8M18](/packages/paragonie-csp-builder)[league/uri-interfaces Common tools for parsing and resolving RFC3987/RFC3986 URI 538204.9M23](/packages/league-uri-interfaces)[bepsvpt/secure-headers Add security related headers to HTTP response. The package includes Service Providers for easy Laravel integration. 5484.7M9](/packages/bepsvpt-secure-headers)[laudis/neo4j-php-client Neo4j-PHP-Client is the most advanced PHP Client for Neo4j 184616.9k31](/packages/laudis-neo4j-php-client)[laminas/laminas-psr7bridge Bidirectional conversions between PSR-7 and laminas-http messages 117.9M18](/packages/laminas-laminas-psr7bridge) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)