PHPackages                             pavlakis/csp-middleware - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. pavlakis/csp-middleware

ActiveLibrary[Security](/categories/security)

pavlakis/csp-middleware
=======================

Add Content-Security-Policy headers for PSR-7 requests. Uses the csp-builder library paragonie/csp-builder.

1.0(3y ago)35191MITPHPPHP ^8.1

Since Apr 28Pushed 3y ago1 watchersCompare

[ Source](https://github.com/pavlakis/csp-middleware)[ Packagist](https://packagist.org/packages/pavlakis/csp-middleware)[ Docs](http://github.com/pavlakis/csp-middleware)[ RSS](/packages/pavlakis-csp-middleware/feed)WikiDiscussions master Synced yesterday

READMEChangelog (3)Dependencies (6)Versions (5)Used By (0)

[![Build Status](https://camo.githubusercontent.com/c71725e043abbf67fdbc2ce985c475eba5c9ad0f59a22408cc5cc86daa896a83/68747470733a2f2f7472617669732d63692e6f72672f7061766c616b69732f6373702d6d6964646c65776172652e737667)](https://travis-ci.org/pavlakis/csp-middleware)[![Total Downloads](https://camo.githubusercontent.com/4eee8fc6fd5c7686f32667eae54b5097991e5c7f0c99956c60f4e83e0fe94d9d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f7061766c616b69732f6373702d6d6964646c65776172652e737667)](https://packagist.org/packages/pavlakis/csp-middleware)[![Latest Stable Version](https://camo.githubusercontent.com/2583bda7b1d87211a01eebaa2c65f8caf125e1a5dc53f8fc5e263b0e0b2c3ee1/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7061766c616b69732f6373702d6d6964646c65776172652e737667)](https://packagist.org/packages/pavlakis/csp-middleware)[![codecov](https://camo.githubusercontent.com/89c1a7108d7baf1f1ec474c1541cc3f507afb6897d6d2b110ad4dcdf4bac903c/68747470733a2f2f636f6465636f762e696f2f67682f7061766c616b69732f6373702d6d6964646c65776172652f6272616e63682f6d61737465722f67726170682f62616467652e737667)](https://codecov.io/gh/pavlakis/csp-middleware)

CSP Middleware
==============

[](#csp-middleware)

Add Content-Security-Policy headers using PSR-7 requests. Uses the [paragonie/csp-builder](https://github.com/paragonie/csp-builder) package.

Usage
-----

[](#usage)

Adding the middleware is as simple as:

```
$app->add(new \Pavlakis\Middleware\Csp\CspMiddleware($container->get('csp'));
```

Where `$container->get('csp')` returns an instance of `CSPBuilder` with a CSP configuration.

There is a second parameter `$reportOnly`. It is a boolean and set to `true` by default and it will add the CSP header as `Content-Security-Policy-Report-Only`. This is important so you don't break your application accidentally.

To enable it, pass `false`

Use a `json` file with the csp policies.

Example:

```
{
  "report-only": false,
  "report-uri": "/csp/enforce",
  "base-uri": [],
  "default-src": [],
  "child-src": {
    "self": false
  },
  "connect-src": {},
  "font-src": {
    "self": true
  },
  "form-action": {
    "self": true
  },
  "frame-ancestors": [],
  "img-src": {
    "self": true
  },
  "media-src": [],
  "object-src": [],
  "plugin-types": [],
  "script-src": {
    "allow": [
      "https://www.google-analytics.com"
    ],
    "self": true,
    "unsafe-inline": false,
    "unsafe-eval": false
  },
  "style-src": {
    "self": true,
    "unsafe-inline": false
  },
  "upgrade-insecure-requests": true
}
```

### Example in Slim3

[](#example-in-slim3)

**Dependencies (dependencies.php)**

```
$container['csp'] = function ($c) {
    $csp = CSPBuilder::fromFile(__DIR__ . '/configs/csp.json');
    return $csp;
};
```

**Application Middleware (middleware.php)**

```
$app->add(new \Pavlakis\Middleware\Csp\CspMiddleware($container->get('csp'));
```

Resources
---------

[](#resources)

Useful resources for CSP

- [CSP: Let's break stuff](https://www.slideshare.net/Brunty/content-security-policies-lets-break-stuff) - by [Matt Brunt (@brunty)](https://twitter.com/brunty)
- [Report-Uri.io](https://report-uri.io/)
- [Web Fundamentals - CSP](https://developers.google.com/web/fundamentals/security/csp/)

###  Health Score

34

—

LowBetter than 77% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity17

Limited adoption so far

Community10

Small or concentrated contributor base

Maturity75

Established project with proven stability

 Bus Factor1

Top contributor holds 94.1% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~1017 days

Total

3

Last Release

1267d ago

Major Versions

0.2 → 1.02022-11-22

PHP version history (2 changes)0.1PHP ^7.0|^7.1

1.0PHP ^8.1

### Community

Maintainers

![](https://www.gravatar.com/avatar/b0cd55a30199337cee36f2dcf8c4026f13f3b9e3ee281ca571d3752291ea25f7?d=identicon)[pavlakis](/maintainers/pavlakis)

---

Top Contributors

[![pavlakis](https://avatars.githubusercontent.com/u/673223?v=4)](https://github.com/pavlakis "pavlakis (16 commits)")[![Brunty](https://avatars.githubusercontent.com/u/1573273?v=4)](https://github.com/Brunty "Brunty (1 commits)")

---

Tags

content-security-policycspmiddlewarephpphp7securitymiddlewaresecurityheadercspcontent-security-policy

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/pavlakis-csp-middleware/health.svg)

```
[![Health](https://phpackages.com/badges/pavlakis-csp-middleware/health.svg)](https://phpackages.com/packages/pavlakis-csp-middleware)
```

###  Alternatives

[spatie/laravel-csp

Add CSP headers to the responses of a Laravel app

8519.6M19](/packages/spatie-laravel-csp)[aidantwoods/secureheaders

A PHP class aiming to make the use of browser security features more accessible.

433689.3k2](/packages/aidantwoods-secureheaders)[middlewares/csp

Middleware to add the Content-Security-Policy header to the response

1720.6k](/packages/middlewares-csp)[stevenmaguire/laravel-middleware-csp

Provides support for enforcing Content Security Policy with headers in Laravel responses.

39107.6k](/packages/stevenmaguire-laravel-middleware-csp)[ayesh/stateless-csrf

Secret-key based state-less CSRF token generator and validator for PHP 8. State-less means you do not have to store the CSRF token in session or database.

3223.3k](/packages/ayesh-stateless-csrf)[born05/craft-csp

Content Security Policy (or CSP) generator using nonces.

1110.2k](/packages/born05-craft-csp)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)