Jul 8, 2021 by Thibault Debatty | 3823 views
CSP (Content Security Policy) reduces the risk of cross-site scripting and other content-injection attacks by defining, at the level of the webserver, a header that whitelists authorized sources of content for your website.
There is no policy that fits all websites. Hence CSP is not enabled by default on a Laravel app. So here is an example that you should add to the file public/.htaccess:
<IfModule mod_headers.c> # https://cylab.be/blog/155/harden-your-laravel-app-with-csp-headers Header set Content-Security-Policy "default-src 'self'; style-src 'self' fonts.googleapis.com; object-src 'none'; form-action 'self'; font-src 'self' fonts.gstatic.com" </IfModule>
In this example:
For this to work, you must enable the headers module on your server:
sudo a2enmod headers
Or, if you are using Docker, you must add this command to your Dockerfile:
RUN a2enmod headers
You can check the header is correctly sent by your server using the 'Network' tab of your browser.
This example is taken from our Cyber-Wise project.