Open Source Security Atlas

Name: laravel-csp
Author: spatie

laravel-csp: An Open Source Library/SDK for Web Security | Open Source Security Atlas

Back to Browse

Web Security

Library/SDK

laravel-csp

A Laravel package that simplifies setting Content Security Policy headers to enhance web application security.

Visit Website View on GitHub

About This Tool

Set content security policy headers in a Laravel app

Primary Use Case

This tool is used by Laravel developers to easily configure and enforce Content Security Policy (CSP) headers in their web applications, preventing malicious scripts from sending or fetching data to unauthorized sites. It helps mitigate risks such as data exfiltration by restricting which external domains scripts can interact with. Security-conscious developers and teams aiming to harden their Laravel apps against cross-site scripting and related attacks would benefit from this package.

Key Features

Easily set CSP headers in Laravel applications
Supports CSP presets for quick configuration
Allows custom global CSP directives
Supports report-only policies for safe testing
Integrates seamlessly with Laravel's middleware
Open source with active maintenance and testing
Provides configuration publishing for customization

Insights & Recommendations

Users should familiarize themselves with Content Security Policy concepts and directives before configuring this package, as improper CSP settings can break site functionality. It is recommended to use report-only mode initially to test policies without blocking content. Refer to Mozilla's CSP documentation and related resources for best practices.

Installation

Run `composer require spatie/laravel-csp` to install the package
Publish the config file using `php artisan vendor:publish --tag=csp-config`
Configure CSP presets and directives in `config/csp.php`

Usage

composer require spatie/laravel-csp

Installs the laravel-csp package via Composer.

php artisan vendor:publish --tag=csp-config

Publishes the package configuration file to the Laravel config directory.

Smart Usage Notes

Integrate CSP header enforcement early in the CI/CD pipeline to prevent deployment of vulnerable web apps.
Combine with runtime application self-protection (RASP) tools for layered defense against script injection.
Use report-only CSP mode to safely tune policies before full enforcement to avoid breaking legitimate functionality.
Leverage CSP violation reports to feed into SIEM for automated detection of suspicious web activity.
Train developers on CSP best practices alongside this package to maximize security posture.