paragonie / Csp Builder
Licence: mit
Build Content-Security-Policy headers from a JSON file (or build them programmatically)
Stars: ✭ 496
Projects that are alternatives of or similar to Csp Builder
Ezxss
ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
Stars: ✭ 1,022 (+106.05%)
Mutual labels: easy-to-use, xss
Javasecurity
Java web and command line applications demonstrating various security topics
Stars: ✭ 182 (-63.31%)
Mutual labels: xss, csp
Express Security
nodejs + express security and performance boilerplate.
Stars: ✭ 37 (-92.54%)
Mutual labels: xss, csp
wasec
Examples of security features (or mishaps) on web applications -- these are mostly examples and tutorials from the WASEC book.
Stars: ✭ 74 (-85.08%)
Mutual labels: csp, xss
Owasp Xenotix Xss Exploit Framework
OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework.
Stars: ✭ 424 (-14.52%)
Mutual labels: xss
Anti Xss
㊙️ AntiXSS | Protection against Cross-site scripting (XSS) via PHP
Stars: ✭ 403 (-18.75%)
Mutual labels: xss
Blastula
Easily send great-looking HTML email messages from R
Stars: ✭ 394 (-20.56%)
Mutual labels: easy-to-use
Cerberus
一款功能强大的漏洞扫描器,子域名爆破使用aioDNS,asyncio异步快速扫描,覆盖目标全方位资产进行批量漏洞扫描,中间件信息收集,自动收集ip代理,探测Waf信息时自动使用来保护本机真实Ip,在本机Ip被Waf杀死后,自动切换代理Ip进行扫描,Waf信息收集(国内外100+款waf信息)包括安全狗,云锁,阿里云,云盾,腾讯云等,提供部分已知waf bypass 方案,中间件漏洞检测(Thinkphp,weblogic等 CVE-2018-5955,CVE-2018-12613,CVE-2018-11759等),支持SQL注入, XSS, 命令执行,文件包含, ssrf 漏洞扫描, 支持自定义漏洞邮箱推送功能
Stars: ✭ 389 (-21.57%)
Mutual labels: xss
Tracy
A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
Stars: ✭ 464 (-6.45%)
Mutual labels: xss
Sakurairo
一个多彩,轻松上手,体验完善,具有强大自定义功能的WordPress主题(基于Sakura主题)A Colorful, Easy-to-use, Perfect Experience, and Powerful Customizable WordPress Theme (Based on Theme Sakura)
Stars: ✭ 456 (-8.06%)
Mutual labels: easy-to-use
Xss Listener
🕷️ XSS Listener is a penetration tool for easy to steal data with various XSS.
Stars: ✭ 414 (-16.53%)
Mutual labels: xss
Webappsec Trusted Types
A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
Stars: ✭ 424 (-14.52%)
Mutual labels: xss
Laravel Csp
Set content security policy headers in a Laravel app
Stars: ✭ 388 (-21.77%)
Mutual labels: csp
Yaspin
A lightweight terminal spinner for Python with safe pipes and redirects 🎁
Stars: ✭ 413 (-16.73%)
Mutual labels: easy-to-use
React Native Tabbar Interaction
Tabbar Component For React-Native
Stars: ✭ 457 (-7.86%)
Mutual labels: easy-to-use
Pornhub Downloader Python
Download stuff from PH the easy way.
Stars: ✭ 408 (-17.74%)
Mutual labels: easy-to-use
Striptags
An implementation of PHP's strip_tags in Typescript.
Stars: ✭ 409 (-17.54%)
Mutual labels: xss
Content Security Policy Builder
Easily integrate Content-Security-Policy headers into your web application, either from a JSON configuration file, or programatically.
CSP Builder was created by Paragon Initiative Enterprises as part of our effort to encourage better application security practices.
Check out our other open source projects too.
There's also a CSP middleware available that uses this library.
Installing
First, get Composer, then run:
composer require paragonie/csp-builder
Build a Content Security Policy header from a JSON configuration file
<?php
use ParagonIE\CSPBuilder\CSPBuilder;
$csp = CSPBuilder::fromFile('/path/to/source.json');
$csp->sendCSPHeader();
You can also load the configuration from a JSON string, like so:
<?php
use ParagonIE\CSPBuilder\CSPBuilder;
$configuration = file_get_contents('/path/to/source.json');
if (!is_string($configuration)) {
throw new Error('Could not read configuration file!');
}
$csp = CSPBuilder::fromData($configuration);
$csp->sendCSPHeader();
Finally, you can just pass an array to the first argument of the constructor:
<?php
use ParagonIE\CSPBuilder\CSPBuilder;
$configuration = file_get_contents('/path/to/source.json');
if (!is_string($configuration)) {
throw new Error('Could not read configuration file!');
}
$decoded = json_decode($configuration, true);
if (!is_array($decoded)) {
throw new Error('Could not parse configuration!');
}
$csp = new CSPBuilder($decoded);
$csp->sendCSPHeader();
Example
{
"report-only": false,
"report-to": "PolicyName",
"report-uri": "/csp_violation_reporting_endpoint",
"base-uri": [],
"default-src": [],
"child-src": {
"allow": [
"https://www.youtube.com",
"https://www.youtube-nocookie.com"
],
"self": false
},
"connect-src": [],
"font-src": {
"self": true
},
"form-action": {
"allow": [
"https://example.com"
],
"self": true
},
"frame-ancestors": [],
"img-src": {
"blob": true,
"self": true,
"data": true
},
"media-src": [],
"object-src": [],
"plugin-types": [],
"script-src": {
"allow": [
"https://www.google-analytics.com"
],
"self": true,
"unsafe-inline": false,
"unsafe-eval": false
},
"style-src": {
"self": true
},
"upgrade-insecure-requests": true
}
Build a Content Security Policy, programmatically
<?php
use ParagonIE\CSPBuilder\CSPBuilder;
$csp = CSPBuilder::fromFile('/path/to/source.json');
// Let's add a nonce for inline JS
$nonce = $csp->nonce('script-src');
$body .= "<script nonce={$nonce}>";
$body .= $desiredJavascriptCode;
$body .= "</script>";
// Let's add a hash to the CSP header for $someScript
$hash = $csp->hash('script-src', $someScript, 'sha256');
// Add a new source domain to the whitelist
$csp->addSource('image', 'https://ytimg.com');
// Set the Report URI
$csp->setReportUri('https://example.com/csp_report.php');
// Let's turn on HTTPS enforcement
$csp->addDirective('upgrade-insecure-requests', true);
$csp->sendCSPHeader();
Note that many of these methods can be chained together:
$csp = CSPBuilder::fromFile('/path/to/source.json');
$csp->addSource('image', 'https://ytimg.com')
->addSource('frame', 'https://youtube.com')
->addDirective('upgrade-insecure-requests', true)
->sendCSPHeader();
addSource()addDirective()disableOldBrowserSupport()enableOldBrowserSupport()hash()preHash()setDirective()setBlobAllowed()setDataAllowed()setFileSystemAllowed()setMediaStreamAllowed()setReportUri()setSelfAllowed()setAllowUnsafeEval()setAllowUnsafeInline()
Inject a CSP header into a PSR-7 message
Instead of invoking sendCSPHeader(), you can instead inject the headers into
your PSR-7 message object by calling it like so:
/**
* $yourMessageHere is an instance of an object that implements
* \Psr\Http\Message\MessageInterface
*
* Typically, this will be a Response object that implements
* \Psr\Http\Message\ResponseInterface
*
* @ref https://github.com/guzzle/psr7/blob/master/src/Response.php
*/
$csp->injectCSPHeader($yourMessageHere);
Save a CSP header for configuring Apache/nginx
Instead of calling sendCSPHeader() on every request, you can build the CSP once
and save it to a snippet for including in your server configuration:
$policy = CSPBuilder::fromFile('/path/to/source.json');
$policy->saveSnippet(
'/etc/nginx/snippets/my-csp.conf',
CSPBuilder::FORMAT_NGINX
);
Make sure you reload your webserver afterwards.
Support Contracts
If your company uses this library in their products or services, you may be interested in purchasing a support contract from Paragon Initiative Enterprises.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].