PHPackages                             opctim/symfony-csp-bundle - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. opctim/symfony-csp-bundle

ActiveSymfony-bundle[Security](/categories/security)

opctim/symfony-csp-bundle
=========================

This bundle helps to properly secure your application using the CSP header in a symfony application.

2.0.0(5mo ago)21.7k↓45.5%MITPHPPHP &gt;=8.1

Since Apr 25Pushed 5mo ago1 watchersCompare

[ Source](https://github.com/opctim/symfony-csp-bundle)[ Packagist](https://packagist.org/packages/opctim/symfony-csp-bundle)[ RSS](/packages/opctim-symfony-csp-bundle/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (6)Dependencies (5)Versions (7)Used By (0)

Symfony CSP Bundle
==================

[](#symfony-csp-bundle)

[![Latest Stable Version](https://camo.githubusercontent.com/28cc64d76600c2595a4c0ef8b7d0bfa2de55b44d5f4d62ceca1db0ca060a3015/68747470733a2f2f706f7365722e707567782e6f72672f6f706374696d2f73796d666f6e792d6373702d62756e646c652f76)](https://packagist.org/packages/opctim/symfony-csp-bundle) [![Total Downloads](https://camo.githubusercontent.com/473a61ce134bb7162f2de2efabefb45cd8d4e17c8fc03d6759a243a9184e40b1/68747470733a2f2f706f7365722e707567782e6f72672f6f706374696d2f73796d666f6e792d6373702d62756e646c652f646f776e6c6f616473)](https://packagist.org/packages/opctim/symfony-csp-bundle) [![Latest Unstable Version](https://camo.githubusercontent.com/b86282e68469ff770238fddad77c99a961b1197b67e025232807c23d1d024b44/68747470733a2f2f706f7365722e707567782e6f72672f6f706374696d2f73796d666f6e792d6373702d62756e646c652f762f756e737461626c65)](https://packagist.org/packages/opctim/symfony-csp-bundle) [![License](https://camo.githubusercontent.com/23982edcf524cd2b17efec168c34e1a64c41ad22d75ac14c23fc763bf476c6a2/68747470733a2f2f706f7365722e707567782e6f72672f6f706374696d2f73796d666f6e792d6373702d62756e646c652f6c6963656e7365)](https://packagist.org/packages/opctim/symfony-csp-bundle) [![PHP Version Require](https://camo.githubusercontent.com/e3470d9ac7446ccff931a8b362449744c95a40d551ffd76568527f5745cb9fc5/68747470733a2f2f706f7365722e707567782e6f72672f6f706374696d2f73796d666f6e792d6373702d62756e646c652f726571756972652f706870)](https://packagist.org/packages/opctim/symfony-csp-bundle)

Ever fought with CSP headers? Me too. It always used to be a pain to configure CSP headers properly.

But setting CSP header directives is more important than ever! If you ever came across different tracking scripts, you probably also noticed how many additional fourth-party scripts are lazy loaded. This could lead to malicious JavaScript being loaded to your page, which could be catastrophic, especially when building payment gateways.

It even helps you with adding dynamic [Nonce-Tokens](https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce) when **not** using the `unsafe-inline` directive **(which you should avoid)**

Requirements
------------

[](#requirements)

- PHP &gt;= 8.1 with OpenSSL extension installed
- Symfony &gt;= 6.4

Installation
------------

[](#installation)

```
composer require opctim/symfony-csp-bundle
```

Configuration
-------------

[](#configuration)

In your `config/` directory, add / edit `opctim_csp_bundle.yaml`:

```
# config/packages/opctim_csp_bundle.yaml

opctim_csp_bundle:

    always_add: []

    report:
        url: null
        route: null
        route_params: []
        chance: 100

    directives:
        default-src:
            - "'self'"
            - 'data:'
            - '*.example.com'
        base-uri:
            - "'self'"
        object-src:
            - "'none'"
        script-src:
            - "'self'"
            - "nonce(payment-app)" # For more info, see "Dynamic nonce tokens" section below!
            - '*.example.com'
        img-src:
            - "'self'"
            - '*.example.com'
        style-src:
            - "'self'"
            - "'unsafe-inline'"
        connect-src:
            - '*.example.com'
        font-src:
            - '*.example.com'
        frame-src:
            - "'self'"
            - '*.example.com'
        frame-ancestors:
            - "'self'"
            - '*.example.com'
```

[You can use any directives you want here!](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) This is just a fancy way of writing the directives.

So:

```
default-src:
    - "'self'"
    - 'data:'
    - '*.example.com'
```

becomes

```
Content-Security-Policy: default-src 'self' data: *.example.com;

```

### The always\_add option

[](#the-always_add-option)

As the name implies, this option adds the specified origins to all directives. This can be useful with `when@dev`:

```
# config/packages/opctim_csp_bundle.yaml

opctim_csp_bundle:
    always_add: []

    directives:
        default-src:
            - "'self'"
            - 'data:'
            - '*.example.com'
        base-uri:
            - "'self'"
        object-src:
            - "'none'"
        script-src:
            - "'self'"
            - "nonce(payment-app)"  # For more info, see "Dynamic nonce tokens" section below!
            - '*.example.com'

when@dev:
    opctim_csp_bundle:
        always_add:
            - '*.example.local'
```

**Important:** If you add `'none'` as the first and only directive, this directive will be skipped for the `always_add` functionality. This feature was added in `1.1.4`

You also can use `when@dev` to add origins to specific directives conditionally:

```
# config/packages/opctim_csp_bundle.yaml

opctim_csp_bundle:
    always_add: []

    directives:
        default-src:
            - "'self'"
            - 'data:'
            - '*.example.com'
        script-src:
            - "'self'"
            - '*.example.com'

when@dev:
    opctim_csp_bundle:
        directives:
            connect-src:
                - 'some.external.additional.host.com'
```

### The report option

[](#the-report-option)

This bundle provides you with an easy way to configure the report feature of CSP, which tells browsers to tell your backend if your CSP configuration denies specific resources. There are currently two implementations in browsers - report-uri &amp; report-to:

-
-

So, according to the MDN docs, this bundle adds the report-uri directive &amp; the Reporting-Endpoint header to support new Browsers in the future.

This bundle provides a backwards compatible implementation, which should be supported by all browsers.

```
# config/packages/opctim_csp_bundle.yaml

opctim_csp_bundle:
    always_add: []

    report:
        url: null
        route: my_awesome_controller_action
        route_params: []
        chance: 100

    directives:
        default-src:
            - "'self'"
            - 'data:'
            - '*.example.com'
```

- `url` - `optional` You can pass an external URL here, which the browsers should report to.
- `route` - `optional` If you want to use your controller action to receive reports. This will use the UrlGenerator to generate an absolute url for you.
- `route_params` - `optional` You can pass additional route parameters here, if you're using the `route` parameter.
- `chance` - `optional` This fields' unit is percent. It specifies how high the chance should be to add the report directives to the response.

**Here is some pseudocode explaining the change option:**

```
if (random_int(0, 99) < $chance) {
    $someService->addReportHeaders();
}
```

This means, that for a chance of 100%, it will run every time. Depending on traffic of your app, it is recommended to set a chance of around 5-10%, to not get flooded by CSP log messages.

### Dynamic nonce tokens

[](#dynamic-nonce-tokens)

Dynamic nonce tokens can be extremely useful, to allow specific inline script tags in your Twig templates, without having to ignore security concerns, e.g. by not adding or hard-coding them ;)

#### Configuration syntax

[](#configuration-syntax)

```
nonce()

```

#### Example

[](#example)

In `opctim_csp_bundle.yaml`:

```
opctim_csp_bundle:
    always_add: []

    directives:
        default-src:
            - "'self'"
            - 'data:'
            - '*.example.com'
        script-src:
            - "'self'"
            - '*.example.com'
            - 'nonce(my-inline-script)'
```

On request, `nonce(my-inline-script)` will be transformed to e.g. `nonce-25d2ec8bb6` and will later appear in the response CSP header.

Then, in your twig template you can simply use the `csp_nonce('my-inline-script')` function that is provided by this bundle:

```

    alert('This works!');

```

The rendered result:

```

    alert('This works!');

```

### Hooking into the CSP header generation

[](#hooking-into-the-csp-header-generation)

A key feature of this bundle is the dynamic nonce implementation. The bundle hooks into the Symfony event system and generates fresh nonce tokens for you - on every request!

On request, the bundle prepares the CSP header directives to be written to headers on response. Here, the `nonce()` expressions from `opctim_csp_bundle.yaml` are parsed.

The bundle will add this value to the Response in the Content-Security-Policy header.

If you want to modify the CSP header before it is written to the response, you can hook into the generation by subscribing to the `opctim_csp_bundle.add_csp_header` event:

```