We just tagged & released a new major version of spatie/laravel-csp, a package to manage your Laravel app's content security policy. The development goal for version 3 was to reduce the boilerplate of configuring a policy for common services like Google Tag Manager, Fathom Analytics, Adobe Fonts… In addition, we've made it easier to add your own directives through your configuration file, without writing additional code.
A refresher: what's a CSP?
A CSP—short for Content Security Policy—is an HTTP header that includes a list of directives and domains to control which resources a document can access. For example, if a website has a Stripe checkout page, you'd add script-src stripe.com to allow Stripe to run. If a malicious script would try to hijack that page and redirect your payment information to evil-stripe.com instead, a CSP would block the request.
What's new in version 3?
In previous versions of Laravel CSP, we provided you with the tools to add a CSP to your site by writing and maintaining your own Policy class. As we were using our package on one of our own projects that needs a HubSpot integration, the rules we needed to configure for HubSpot made our eyes bleed. It seemed pointless to have ownership over this at a project level, so we decided to revisit out package to include policies for common services out of the box.
As of v3, adding a content security policy is as easy as configuring the package with our presets. You can also add additional directives to your policy through package configuration.
// config/csp.php
return [
'presets' => [
Spatie\Csp\Presets\Basic::class,
Spatie\Csp\Presets\HubSpot::class,
],
'directives' => [
[Directive::SCRIPT, [
Keyword::UNSAFE_EVAL,
Keyword::UNSAFE_INLINE,
],
],
// …
],
This covers most use cases of adding a CSP policy. If you need to dynamically apply directives, you can still write your own preset that has access to the request lifecycle, database, or other context in your app.
Call for contributors
At the time of release, Laravel CSP v3 ships with presets for 8 services: Adobe Fonts, Fathom, Google Analytics, Google Fonts, Google Tag Manager, HubSpot, JsDelivr, and Tolt. We'd love to have more readily available out of the box! Are you adding a CSP to your Laravel app? Consider submitting a PR with a preset for the services your using for your future self and others.
Laravel CSP and its documentation can be found on GitHub.
