Skip to content

Instantly share code, notes, and snippets.

@S1SYPHOS
Forked from joachimesque/config.php
Last active February 16, 2018 23:24
Show Gist options
  • Save S1SYPHOS/7d7cfc1628bc7ddc33654a11313e3a98 to your computer and use it in GitHub Desktop.
Save S1SYPHOS/7d7cfc1628bc7ddc33654a11313e3a98 to your computer and use it in GitHub Desktop.
CSP headers with a script-src nonce directive for Kirby
<?php
/*
---------------------------------------
HTTP Security headers
---------------------------------------
*/
// Generating CSP nonce & defining CSP header
$csp_nonce = base64_encode(random_bytes(20));
$csp_header = "Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-" . $csp_nonce . "';";
// Making it accessible as `csp-nonce`
c::set('csp-nonce', $csp_nonce);
// Setting security headers
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header($csp_header);
header('Strict-Transport-Security: max-age=31536000; includeSubdomains');
<script type="text/javascript" nonce="<?= c::get('csp-nonce') ?>">
console.log('Hello World!')
</script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment