Skip to content

Instantly share code, notes, and snippets.

@joachimesque
Created January 4, 2018 15:19
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save joachimesque/8493a2b1dc38ffd1e09f7a206fedc2c1 to your computer and use it in GitHub Desktop.
CSP headers with a script-src nonce directive for Kirby
<?php
/*
---------------------------------------
CSP
---------------------------------------
*/
$csp_nonce = base64_encode(random_bytes(20));
$csp_header = "Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-" . $csp_nonce . "';";
// set `csp-nonce` so it's accessable
c::set('csp-nonce', $csp_nonce);
// set headers
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header($csp_header);
header('strict-transport-security: max-age=31536000; includeSubdomains');
<script type="text/javascript" nonce="<?= c::get('csp-nonce') ?>">
console.log('Hello World!')
</script>
@S1SYPHOS
Copy link

IMHO strict-transport-security should be Strict-Transport-Security, otherwise it may not get accepted (at least it didn't for me)

😞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment