nswdpc/silverstripe-csp
Composer 安装命令:
composer require nswdpc/silverstripe-csp
包简介
SilverStripe Content Security Policy module
README 文档
README
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
This module provides the ability to:
- Create one or more CSP records within the administration area of your website and make one of those the base policy for use on the website
- Set a CSP record to be report only
- Collect CSP Violation reports internally via a controller or via a specific URL/service
- Add page specific CSP records, which work with or without the base policy
- Add a per-request nonce
Once a CSP is in place and working, any assets loads that do not meet policy requirements will be blocked from loading, with warnings similar to this in the browser dev console:
Refused to load the script 'https://badactor.example.com/eval.js' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-example' https://cdnjs.cloudflare.com/".
Versioning
For Silverstripe 5.x, use version constraint ^1
For Silverstripe 4.x, use version constraint ^0.4.3
Installation
The only supported method of installing this module is via composer:
composer require nswdpc/silverstripe-csp
Instructions
⚠️ An incorrectly implemented CSP can have negative effects for valid visitors to your website.
- Read the initial documentation
- Read the good-to-know section
- Install the module on a development instance of your website and configure it
- Add at least one Policy record in the "CSP" administration section.
- Set it to 'report only'
- Mark it as the 'base policy'
- Optionally, make it available on your draft site only
- Set the policy to be delivered via a HTTP headers (you can use meta tags but this method limits the feature you can use).
- Add some Directives
- Mark the Policy 'Enabled', save it and
- Watch for violation reports or look at your browser dev console
When you are pleased with the settings, check the "Use on published website" setting and save.
After UAT is complete, implement the same process on your production website. You should run the policy as report-only and monitor reports, initially.
Page specific policies
By default Pages can define an extra Policy for delivery when requested with the following caveat:
Adding additional policies can only further restrict the capabilities of the protected resource
MDN provides some useful information on this process:
This means that you can't (currently) relax the base policy restrictions from within your page policy.
Using a nonce
See using a nonce
Good-to-know
See good-to-know
Violation Reports
See reporting
Minimum CSP Level
Refer to the following for changes between levels:
Additional Help
See further reading
Browser Compatibility
See browser support
Maintainers
Bugtracker
We welcome bug reports, pull requests and feature requests on the Github Issue tracker for this project.
Please review the code of conduct prior to opening a new issue.
Security
If you have found a security issue with this module, please email digital[@]dpc.nsw.gov.au in the first instance, detailing your findings.
Development and contribution
If you would like to make contributions to the module please ensure you raise a pull request and discuss with the module maintainers.
Please review the code of conduct prior to completing a pull request.
nswdpc/silverstripe-csp 适用场景与选型建议
nswdpc/silverstripe-csp 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 14.11k 次下载、GitHub Stars 达 9, 最近一次更新时间为 2019 年 04 月 04 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「silverstripe」 「csp」 「content security policy」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 nswdpc/silverstripe-csp 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 nswdpc/silverstripe-csp 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 nswdpc/silverstripe-csp 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Setup CSP Headers for a website
A block that displays featured content - large image, title, description and link.
Middleware to add the Content-Security-Policy header to the response
A module for CSP headers in Silverstripe.
Simple SilverStripe Content Security Policy Headers
TYPO3 CMS extension to create gallery content element with preset crop ratios and pagination
统计信息
- 总下载量: 14.11k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 9
- 点击次数: 22
- 依赖项目数: 1
- 推荐数: 1
其他信息
- 授权协议: BSD-3-Clause
- 更新时间: 2019-04-04