PHPackages mulertech/csp-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. mulertech/csp-bundle ActiveSymfony-bundle[Security](/categories/security) mulertech/csp-bundle ==================== Symfony bundle for Content Security Policy (CSP) header management with nonce support v2.0.0(2mo ago)097↓66.7%MITPHPPHP >=8.2CI passing Since Mar 2Pushed 1mo agoCompare [ Source](https://github.com/mulertech/csp-bundle)[ Packagist](https://packagist.org/packages/mulertech/csp-bundle)[ RSS](/packages/mulertech-csp-bundle/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (3)Dependencies (10)Versions (4)Used By (0) MulerTech CSP Bundle ==================== [](#mulertech-csp-bundle) --- [![Latest Version on Packagist](https://camo.githubusercontent.com/7566af30d515b0cafa6f6587ac6be0692e62382a44dbcac03689604810d2fc4a/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6d756c6572746563682f6373702d62756e646c652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/mulertech/csp-bundle)[![GitHub Tests Action Status](https://camo.githubusercontent.com/5808cb947bb5f08bfb5e5b375af5ba79b8e21e2408cb0fb49f65abedeca09f33/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6d756c6572746563682f6373702d62756e646c652f74657374732e796d6c3f6272616e63683d6d61696e266c6162656c3d7465737473267374796c653d666c61742d737175617265)](https://github.com/mulertech/csp-bundle/actions/workflows/tests.yml)[![GitHub PHPStan Action Status](https://camo.githubusercontent.com/9634259ddb9729d3852bad03da721874a769b4716964a83c220c8655bef12191/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6d756c6572746563682f6373702d62756e646c652f7068707374616e2e796d6c3f6272616e63683d6d61696e266c6162656c3d7068707374616e267374796c653d666c61742d737175617265)](https://github.com/mulertech/csp-bundle/actions/workflows/phpstan.yml)[![GitHub Security Action Status](https://camo.githubusercontent.com/1d87c99205025ff9ed53d718a49c29c78e43463894d98836f509e4242d94dde6/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6d756c6572746563682f6373702d62756e646c652f73656375726974792e796d6c3f6272616e63683d6d61696e266c6162656c3d7365637572697479267374796c653d666c61742d737175617265)](https://github.com/mulertech/csp-bundle/actions/workflows/security.yml)[![Total Downloads](https://camo.githubusercontent.com/8e5b5dda74a06c28ef737235679f8f92b8bc52306e9d9f36fc0e3b253aaa5075/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6d756c6572746563682f6373702d62756e646c652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/mulertech/csp-bundle)[![Test Coverage](https://raw.githubusercontent.com/mulertech/csp-bundle/badge/badge-coverage.svg)](https://packagist.org/packages/mulertech/csp-bundle) --- Symfony bundle for Content Security Policy (CSP) header management with named nonce support. Installation ------------ [](#installation) ``` composer require mulertech/csp-bundle ``` Configuration ------------- [](#configuration) The bundle ships with secure defaults for all directives. You only need to override what differs from the defaults. Minimal `config/packages/mulertech_csp.yaml`: ``` mulertech_csp: directives: script-src: - "'self'" - "nonce(main)" style-src: - "'self'" - "'unsafe-inline'" ``` ### Full reference [](#full-reference) Here is the complete list of available options with their default values: ``` mulertech_csp: enabled: true # true by default report_only: false # false by default always_add: [] # Origins added to ALL directives report: url: ~ # External URL for report-uri/report-to route: ~ # Symfony route name (alternative to url) route_params: [] # Route parameters chance: 100 # 0-100, % of requests with reporting directives: # Only override what you need default-src: - "'self'" script-src: - "'self'" - "nonce(main)" style-src: - "'self'" - "'unsafe-inline'" img-src: - "'self'" - "data:" font-src: - "'self'" connect-src: - "'self'" media-src: - "'self'" object-src: - "'none'" frame-src: - "'none'" frame-ancestors: - "'none'" base-uri: - "'self'" form-action: - "'self'" upgrade-insecure-requests: true ``` ### Default directives [](#default-directives) DirectiveDefault`default-src``'self'``script-src``'self'` + `nonce(main)``style-src``'self' 'unsafe-inline'``img-src``'self' data:``font-src``'self'``connect-src``'self'``media-src``'self'``object-src``'none'``frame-src``'none'``frame-ancestors``'none'``base-uri``'self'``form-action``'self'``upgrade-insecure-requests``true`### Named nonces [](#named-nonces) Use `nonce(handle)` syntax in directives to create named nonces: ``` mulertech_csp: directives: script-src: - "'self'" - "nonce(main)" # For your main scripts - "nonce(analytics)" # For analytics scripts ``` Each named nonce generates a unique 256-bit (32 bytes) cryptographically secure value. ### always\_add [](#always_add) Add origins to all directives automatically (except those set to `'none'`): ``` mulertech_csp: always_add: - "https://cdn.example.com" directives: default-src: - "'self'" object-src: - "'none'" # always_add is NOT merged here ``` ### Violation reporting [](#violation-reporting) Report CSP violations to an external endpoint: ``` mulertech_csp: report: url: "https://report.example.com/csp" chance: 50 # Only 50% of requests ``` Or use a Symfony route: ``` mulertech_csp: report: route: "app_csp_report" route_params: {} ``` ### Report-only mode [](#report-only-mode) Test your CSP policy without enforcing it: ``` mulertech_csp: report_only: true ``` This sets the `Content-Security-Policy-Report-Only` header instead of `Content-Security-Policy`. Usage ----- [](#usage) ### In Twig templates [](#in-twig-templates) Use the `csp_nonce('handle')` function with a named handle: ``` // Your inline JavaScript // Analytics script ``` ### Dynamic CSP customization [](#dynamic-csp-customization) Listen to the `BuildCspHeaderEvent` to customize CSP per-request: ``` use MulerTech\CspBundle\Event\BuildCspHeaderEvent; use Symfony\Component\EventDispatcher\Attribute\AsEventListener; #[AsEventListener(event: BuildCspHeaderEvent::NAME)] class CspListener { public function __invoke(BuildCspHeaderEvent $event): void { if ($event->getRequest()->getPathInfo() === '/admin') { $event->setHeaderValue("default-src 'self'; script-src 'self'"); } } } ``` ### Inject the nonce generator [](#inject-the-nonce-generator) ``` use MulerTech\CspBundle\CspNonceGenerator; class MyService { public function __construct( private readonly CspNonceGenerator $nonceGenerator, ) {} public function getMainNonce(): string { return $this->nonceGenerator->getNonce('main'); } } ``` Upgrading from v1.x ------------------- [](#upgrading-from-v1x) ### Breaking changes [](#breaking-changes) 1. **Directives format**: Changed from scalar strings to arrays of sources ``` # v1.x mulertech_csp: directives: script-src: "'self' 'nonce-{nonce}'" # v2.0 mulertech_csp: directives: script-src: - "'self'" - "nonce(main)" ``` 2. **Twig function**: `csp_nonce()` now requires a handle argument ``` {# v1.x #} {# v2.0 #} ``` 3. **Nonce placeholder**: `{nonce}` replaced by `nonce(handle)` syntax Requirements ------------ [](#requirements) - PHP >= 8.2 - Symfony 6.4 or 7.x - Twig (optional, for the `csp_nonce()` function) - symfony/routing (optional, for route-based reporting) License ------- [](#license) MIT ### Health Score 42 — FairBetter than 90% of packages Maintenance88 Actively maintained with recent releases Popularity14 Limited adoption so far Community8 Small or concentrated contributor base Maturity48 Maturing project, gaining track record Bus Factor1 Top contributor holds 92.9% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 3 Last Release 77d ago Major Versions v1.0.1 → v2.0.02026-03-02 ### Community Maintainers ![](https://www.gravatar.com/avatar/357d309912bbc5318d9877d1369987d2390c8e034b637e9f20671c28b09b5119?d=identicon)[mulertech](/maintainers/mulertech) --- Top Contributors [![mulertech](https://avatars.githubusercontent.com/u/57788787?v=4)](https://github.com/mulertech "mulertech (13 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (1 commits)") --- Tags symfonysecuritycspcontent-security-policynonce ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/mulertech-csp-bundle/health.svg) ``` [![Health](https://phpackages.com/badges/mulertech-csp-bundle/health.svg)](https://phpackages.com/packages/mulertech-csp-bundle) ``` ### Alternatives [scheb/2fa Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install) 578630.7k1](/packages/scheb-2fa)[sulu/sulu Core framework that implements the functionality of the Sulu content management system 1.3k1.3M152](/packages/sulu-sulu)[tilleuls/url-signer-bundle Create and validate signed URLs with a limited lifetime in Symfony 81340.1k](/packages/tilleuls-url-signer-bundle)[scheb/2fa-bundle A generic interface to implement two-factor authentication in Symfony applications 6914.0M62](/packages/scheb-2fa-bundle)[a2lix/translation-form-bundle Translate your doctrine objects easily with some helpers 3376.9M38](/packages/a2lix-translation-form-bundle)[sensiolabs/gotenberg-bundle A Symfony bundle that provides seamless integration with Gotenberg for generating PDFs and screenshots from various sources (HTML, Markdown, Office documents, URLs) with a clean, builder-based API. 210210.4k2](/packages/sensiolabs-gotenberg-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)