PHPackages stevenmaguire/laravel-middleware-csp - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. stevenmaguire/laravel-middleware-csp ActiveLibrary[Security](/categories/security) stevenmaguire/laravel-middleware-csp ==================================== Provides support for enforcing Content Security Policy with headers in Laravel responses. 0.1.1(10y ago)39107.6k4[1 issues](https://github.com/stevenmaguire/laravel-middleware-csp/issues)[1 PRs](https://github.com/stevenmaguire/laravel-middleware-csp/pulls)MITPHPPHP >=5.5.9 Since Aug 6Pushed 7y ago2 watchersCompare [ Source](https://github.com/stevenmaguire/laravel-middleware-csp)[ Packagist](https://packagist.org/packages/stevenmaguire/laravel-middleware-csp)[ Docs](https://github.com/stevenmaguire/laravel-middleware-csp)[ RSS](/packages/stevenmaguire-laravel-middleware-csp/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (2)Dependencies (6)Versions (3)Used By (0) Content Security Policy Middleware ================================== [](#content-security-policy-middleware) [![Latest Version](https://camo.githubusercontent.com/2c25ecb9e0b360e4181b653c4b8d86f5bd19c1d607d4ce98257cd753551fc1fc/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f72656c656173652f73746576656e6d6167756972652f6c61726176656c2d6d6964646c65776172652d6373702e7376673f7374796c653d666c61742d737175617265)](https://github.com/stevenmaguire/laravel-middleware-csp/releases)[![Software License](https://camo.githubusercontent.com/55c0218c8f8009f06ad4ddae837ddd05301481fcf0dff8e0ed9dadda8780713e/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d627269676874677265656e2e7376673f7374796c653d666c61742d737175617265)](LICENSE.md)[![Build Status](https://camo.githubusercontent.com/2c5e8337b7cb101193fd11f99041e00bd38060f60dda58ccf3b827a5ebe81f2e/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f73746576656e6d6167756972652f6c61726176656c2d6d6964646c65776172652d6373702f6d61737465722e7376673f7374796c653d666c61742d737175617265)](https://travis-ci.org/stevenmaguire/laravel-middleware-csp)[![Coverage Status](https://camo.githubusercontent.com/e7f494caa1f0b46a6e7afcc461a730584f5bf49b1d2fb7995c0f8133730e175e/68747470733a2f2f696d672e736869656c64732e696f2f7363727574696e697a65722f636f7665726167652f672f73746576656e6d6167756972652f6c61726176656c2d6d6964646c65776172652d6373702e7376673f7374796c653d666c61742d737175617265)](https://scrutinizer-ci.com/g/stevenmaguire/laravel-middleware-csp/code-structure)[![Quality Score](https://camo.githubusercontent.com/7ce4cd84d8633ade682719f539ae188c5e39fe742649e9992bd1107fb7119727/68747470733a2f2f696d672e736869656c64732e696f2f7363727574696e697a65722f672f73746576656e6d6167756972652f6c61726176656c2d6d6964646c65776172652d6373702e7376673f7374796c653d666c61742d737175617265)](https://scrutinizer-ci.com/g/stevenmaguire/laravel-middleware-csp)[![Total Downloads](https://camo.githubusercontent.com/d1e3b239f9078054fb1ac0819a554e568d040fff5a17724e6eeffdfd0f12324f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f73746576656e6d6167756972652f6c61726176656c2d6d6964646c65776172652d6373702e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/stevenmaguire/laravel-middleware-csp) Provides support for enforcing Content Security Policy with headers in Laravel responses. This package extends and utilizes the [framework agnostic Content Security Policy Middleware for PSR 7 response](https://github.com/stevenmaguire/middleware-csp-php). Install ------- [](#install) Via Composer ``` $ composer require stevenmaguire/laravel-middleware-csp ``` Usage ----- [](#usage) ### Register as route middleware [](#register-as-route-middleware) ``` // within app/Http/Kernal.php protected $routeMiddleware = [ // 'secure.content' => \Stevenmaguire\Laravel\Http\Middleware\EnforceContentSecurity::class, // ]; ``` ### Apply content security policy to routes [](#apply-content-security-policy-to-routes) The following will apply all default profiles to the `gallery` route. ``` // within app/Http/routes.php Route::get('gallery', ['middleware' => 'secure.content'], function () { return 'pictures!'; }); ``` The following will apply all default profiles and a specific `flickr` profile to the `gallery` route. ``` // within app/Http/routes.php Route::get('gallery', ['middleware' => 'secure.content:flickr'], function () { return 'pictures!'; }); ``` ### Apply content security policy to controllers [](#apply-content-security-policy-to-controllers) The following will apply all default profiles to all methods within the `GalleryController`. ``` // within app/Http/Controllers/GalleryController.php public function __construct() { $this->middleware('secure.content'); } ``` The following will apply all default profiles and a specific `google` profile to all methods within the `GalleryController`. ``` // within app/Http/Controllers/GalleryController.php public function __construct() { $this->middleware('secure.content:google'); } ``` You can include any number of specific profiles to any middleware decoration. For instance, the following will apply default, `google`, `flickr`, and `my_custom` profiles to all methods within the `GalleryController`. ``` // within app/Http/Controllers/GalleryController.php public function __construct() { $this->middleware('secure.content:google,flickr,my_custom'); } ``` ### Create content security profiles [](#create-content-security-profiles) The default location for content security profiles is `security.content`. If you wish to use this default configuration, ensure your project includes the appropriate configuration files. You can find all available options on the owasp [CSP Cheat Sheet](https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet). The structure of this configuration array is important. The middleware expects to find a `default` key with a string value and a `profiles` key with an array value. ``` // within config/security.php return [ 'content' => [ 'default' => '', 'profiles' => [], ], ]; ``` The `profiles` array contains the security profiles for your application. Each profile name must be unique and is expected to have a value of an array. ``` // within config/security.php return [ 'content' => [ 'default' => '', 'profiles' => [ 'profile_one' => [], 'profile_two' => [], 'profile_three' => [], ], ], ]; ``` Each profile array should contain keys that correspond to Content Security Policy directives. The value of each of these directives can be a string, comma-separated string, or array of strings. Each string value should correspond to the domain associated with your directive and profile. ``` // within config/security.php return [ 'content' => [ 'default' => '', 'profiles' => [ 'profile_one' => [ 'base-uri' => 'https://domain.com,http://google.com', ], 'profile_two' => [ 'font-src' => 'https://domain.com', 'base-uri' => [ "'self'", 'http://google.com' ], ], 'profile_three' => [ 'font-src' => [ "'self'" ], ], ], ], ]; ``` The `default` key value should be a string, comma-separated string, or array of strings that correspond to the unique profile names that you would like to enforce on all responses with minimal content security applied. ``` // within config/security.php return [ 'content' => [ 'default' => 'profile_one', 'profiles' => [ 'profile_one' => [ 'base-uri' => 'https://domain.com,http://google.com', ], 'profile_two' => [ 'font-src' => 'https://domain.com', 'base-uri' => [ "'self'", 'http://google.com' ], ], 'profile_three' => [ 'font-src' => [ "'self'" ], ], ], ], ]; ``` Here is a real-world example: ``` // within config/security.php return [ 'content' => [ 'default' => 'global', 'profiles' => [ 'global' => [ 'base-uri' => "'self'", 'default-src' => "'self'", 'font-src' => [ "'self'", 'fonts.gstatic.com' ], 'img-src' => "'self'", 'script-src' => "'self'", 'style-src' => [ "'self'", "'unsafe-inline'", 'fonts.googleapis.com' ], ], 'flickr' => [ 'img-src' => [ 'https://*.staticflickr.com', ], ], ], ], ]; ``` Testing ------- [](#testing) ``` $ ./vendor/bin/phpunit ``` Contributing ------------ [](#contributing) Please see [CONTRIBUTING](https://github.com/stevenmaguire/laravel-middleware-csp/blob/master/CONTRIBUTING.md) for details. Credits ------- [](#credits) - [Steven Maguire](https://github.com/stevenmaguire) - [All Contributors](https://github.com/stevenmaguire/laravel-middleware-csp/contributors) License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 33 — LowBetter than 75% of packages Maintenance19 Infrequent updates — may be unmaintained Popularity40 Moderate usage in the ecosystem Community12 Small or concentrated contributor base Maturity49 Maturing project, gaining track record Bus Factor1 Top contributor holds 83.3% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1 days Total 2 Last Release 3931d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/8d9c05a30823ae19fc54aa4b4721a696c253f8dec10c7fd22d372cfdc0fcb36d?d=identicon)[stevenmaguire](/maintainers/stevenmaguire) --- Top Contributors [![stevenmaguire](https://avatars.githubusercontent.com/u/1851973?v=4)](https://github.com/stevenmaguire "stevenmaguire (5 commits)")[![mikebronner](https://avatars.githubusercontent.com/u/1791050?v=4)](https://github.com/mikebronner "mikebronner (1 commits)") --- Tags middlewarelaravelpsr7headerscontent-security-policy ### Code Quality TestsPHPUnit Code StylePHP\_CodeSniffer ### Embed Badge ![Health badge](/badges/stevenmaguire-laravel-middleware-csp/health.svg) ``` [![Health](https://phpackages.com/badges/stevenmaguire-laravel-middleware-csp/health.svg)](https://phpackages.com/packages/stevenmaguire-laravel-middleware-csp) ``` ### Alternatives [spatie/laravel-csp Add CSP headers to the responses of a Laravel app 8519.6M19](/packages/spatie-laravel-csp)[masterro/laravel-xss-filter Filter user input for XSS but don't touch other html 41254.5k](/packages/masterro-laravel-xss-filter)[mazedlx/laravel-feature-policy Add Feature-Policy headers to the responses of a Laravel app 17180.5k](/packages/mazedlx-laravel-feature-policy)[laragear/poke Keep your forms alive, avoid TokenMismatchException by gently poking your Laravel app 2211.5k](/packages/laragear-poke) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)