Skip to content

Instantly share code, notes, and snippets.

@ohmrefresh
Forked from phpdave/cspheader.php
Created April 15, 2018 14:28
Show Gist options
  • Save ohmrefresh/3b4f35f7de2a147928ae0f42d0132e3a to your computer and use it in GitHub Desktop.
Save ohmrefresh/3b4f35f7de2a147928ae0f42d0132e3a to your computer and use it in GitHub Desktop.
CSP Header for PHP or Apache or .htaccess - Content Security Protocol
<?
//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
$headerCSP = "Content-Security-Policy:".
"connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
"default-src 'self';". // Default policy for loading html elements
"frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
"frame-src 'none';". // vaid sources for frames
"media-src 'self' *.example.com;". // vaid sources for media (audio and video html tags src)
"object-src 'none'; ". // valid object embed and applet tags src
"report-uri https://example.com/violationReportForCSP.php;". //A URL that will get raw json data in post that lets you know what was violated and blocked
"script-src 'self' 'unsafe-inline' example.com code.jquery.com https://ssl.google-analytics.com ;". // allows js from self, jquery and google analytics. Inline allows inline js
"style-src 'self' 'unsafe-inline';";// allows css from self and inline allows inline css
//Sends the Header in the HTTP response to instruct the Browser how it should handle content and what is whitelisted
//Its up to the browser to follow the policy which each browser has varying support
header($contentSecurityPolicy);
//X-Frame-Options is not a standard (note the X- which stands for extension not a standard)
//This was never officially created but is supported by a lot of the current browsers in use in 2015 and will block iframing of your website
header('X-Frame-Options: SAMEORIGIN');
#this can also be done in a .htaccess file depending on your server set determines where you decide to set it
Header unset Content-Security-Policy
#Add the entire CSP key value pairs that you want below is just default-src
Header add Content-Security-Policy "default-src 'self'"
#This opens support to older browsers that support X-Content-Security-Policy but not Content-Security-Policy
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
#This opens support to older browsers that support X-WebKit-CSP but not Content-Security-Policy
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"
#These headers are also helpful in increasing security
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
<?php
$data = json_decode($HTTP_RAW_POST_DATA,true);
$to = '[email protected]';
$subject = 'CSP Violations';
$message="Following violations occured:<br/><br/>";
if($document_uri!="")
$message.="<b>Document URI:</b> ".$data['csp-report']['document-uri']."<br/><br/>";
if($referrer!="")
$message.="<b>Referrer:</b> ".$data['csp-report']['referrer']."<br/><br/>";
if($blocked_uri!="")
$message.="<b>Blocked URI:</b> ".$data['csp-report']['blocked_uri']."<br/><br/>";
if($violated_directive!="")
$message.="<b>Violated Directive:</b> ".$data['csp-report']['violated_directive']."<br/><br/>";
if($original_policy!="")
$message.="<b>Original Policy:</b> ".$data['csp-report']['original_policy']."<br/><br/>";
// To send HTML mail, the Content-type header must be set
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'From: Example Website <[email protected]>' . "\r\n";
// Mail it
mail($to, $subject, $message, $headers);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment