How to improve Laravel Application's Security using a CSP
Hai Tran Minh
Table of Contents
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
1. Overview
In this article, we’re going to take a look at what a CSP is and what they achieve. We’ll then take a look at how to use the spatie/laravel-csp package to add a CSP to your Laravel application. We’ll also briefly cover some tips to make adding a CSP to an existing application easier.
2. How to Implement a CSP in Laravel
As we’ve already mentioned, a CSP is just a set of rules that are returned from your server to the client’s browser via a header in the response, or sometimes defined as a <meta> tag in the HTML. This means that there’s several ways that you can apply a CSP to your application. For example, you could define the headers in your server’s (e.g. – Nginx) configuration. However, this can be cumbersome and difficult to manage, so I find that it’s easier to manage the policy at the application level instead
3. Installation
You can install the package via composer:
$ composer require spatie/laravel-csp
You can publish the config-file with:
$ php artisan vendor:publish –tag=csp-config
By running the above command, ưe should have created a new config/csp.php file for you.
4. Applying the Policy to Responses
You can add CSP headers to all responses of your app by registering Spatie\Csp\AddCspHeaders::class in the http kernel.
// app/Http/Kernel.php
…
protected $middlewareGroups = [
‘web’ => [
…
\Spatie\Csp\AddCspHeaders::class,
],
As a result of doing this, any route that runs through your web middleware group, will have the CSP header automatically added for you.
Alternatively you can apply the middleware on the route or route group level:
Route::get(‘search-page’, ‘SearchController’)->middleware(Spatie\Csp\AddCspHeaders::class);
You can also pass a policy class as a parameter to the middleware:
Route::get(‘search-page‘, ‘SearchController‘)->middleware(Spatie\Csp\AddCspHeaders::class . ‘:’ . CSPPolicy::class);
The given policy will override the one configured in the config file for that specific route or group of routes.
By default, the package ships with a default Spatie\Csp\Policies\Basic policy that defines a few rules already for us. The Basic policy would create a Content-Security-Policy header that looks something like this:
base-uri ‘self’;connect-src ‘self’;default-src ‘self’;form-action ‘self’;img-src ‘self’;media-src ‘self’;object-src ‘none’;script-src ‘self’ ‘nonce-AAQiTcrg6o4DuumXQDxY7YkgHPlZnrtu’;style-src ‘self’ ‘nonce-AAQiTcrg6o4DuumXQDxY7YkgHPlZnrtu’
A CSP policy determines which CSP directives will be set in the headers of the response.
An example of a CSP directive is script-src. If this has the value ‘self’ www.google.com then your site can only load scripts from it’s own domain or www.google.com
Using inline scripts and styles: When using CSP you must specifically allow the use of inline scripts or styles. The recommended way of doing that with this package is to use a nonce.
A nonce is a number that is unique per request. The nonce must be specified in the CSP headers and in an attribute on the html tag. This way an attacker has no way of injecting malicious scripts or styles.
5. Conclusion
A content security policy prevents many injection-style attacks and should be a staple of a secure web application. A CSP is an HTTP header with fine-grained directives that tells the browser what kinds of content it may load for the page from which origin. For Laravel applications, a plugin library allows adding CSPs with PHP code. The library also handles nonces that secure inline scripts and styles to simplify the deployment of CSP.