www.codebar.ch/config/csp.php at main · codebar-ag/www.codebar.ch · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
<?php

use App\Security\SecurityPolicyBasic;
use App\Support\CspAllowlist;
use Spatie\Csp\Keyword;
use Spatie\Csp\Nonce\RandomString;

return [

    /*
     * Presets will determine which CSP headers will be set. A valid CSP preset is
     * any class that implements `Spatie\Csp\Preset`
     */
    'presets' => [
        SecurityPolicyBasic::class,
    ],

    /*
     * Per-directive source lists for SecurityPolicyBasic. Merged with config/csp-allowlists.json
     * via CspAllowlist. This is not Spatie's global `directives` array below.
     */
    'directive_sources' => [
        'connect' => array_merge(
            [Keyword::SELF],
            CspAllowlist::sources('connect'),
            [env('APP_URL')],
        ),
        'default' => [
            Keyword::SELF,
        ],
        'form_action' => [
            Keyword::SELF,
        ],
        'img' => array_merge(
            [Keyword::SELF],
            CspAllowlist::sources('img'),
            [env('APP_URL')],
        ),
        'media' => array_merge(
            [Keyword::SELF, env('APP_URL')],
            CspAllowlist::sources('media'),
        ),
        'object' => [
            Keyword::NONE,
        ],
        'font' => array_merge(
            [Keyword::SELF],
            CspAllowlist::sources('font'),
        ),
        'script' => array_merge(
            [Keyword::SELF, Keyword::UNSAFE_INLINE, Keyword::UNSAFE_EVAL],
            CspAllowlist::sources('script'),
        ),
        'style_elem' => array_merge(
            [Keyword::SELF, Keyword::UNSAFE_INLINE],
            CspAllowlist::sources('style_elem'),
        ),
        'style' => array_merge(
            [Keyword::SELF, Keyword::UNSAFE_INLINE],
            CspAllowlist::sources('style'),
        ),
    ],

    /**
     * Register additional global CSP directives here.
     */
    'directives' => [
        //
    ],

    /*
     * These presets which will be put in report-only mode. This is great for testing out
     * a new policy or changes to existing CSP policy without breaking anything.
     */
    'report_only_presets' => [
        //
    ],

    /**
     * Register additional global report-only CSP directives here.
     */
    'report_only_directives' => [
        //
    ],

    /*
     * All violations against the policy will be reported to this url.
     * A great service you could use for this is https://report-uri.com/
     *
     * You can override this setting by calling `reportTo` on your policy.
     */
    'report_uri' => env('CSP_REPORT_URI', ''),

    /*
     * Headers will only be added if this setting is set to true.
     */
    'enabled' => env('CSP_ENABLED', false),

    /**
     * Headers will be added when Vite is hot reloading.
     */
    'enabled_while_hot_reloading' => env('CSP_ENABLED_WHILE_HOT_RELOADING', false),

    /*
     * The class responsible for generating the nonces used in inline tags and headers.
     */
    'nonce_generator' => RandomString::class,

    /*
     * Set false to disable automatic nonce generation and handling.
     * This is useful when you want to use 'unsafe-inline' for scripts/styles
     * and cannot add inline nonces.
     * Note that this will make your CSP policy less secure.
     */
    'nonce_enabled' => env('CSP_NONCE_ENABLED', true),
];