1 Jan, 2017
Recently I’ve been working on a drop in class to manage certain “Secure Headers” in PHP.
By “Secure Headers”, I’m of course talking about those mentioned in the OWASP Secure Headers Project.
The project, SecureHeaders is available on GitHub.
If you’re familiar with PHP, you’ll know that adding a header is actually quite easy. For example, HSTS can be configured in a single line as follows:
header(‘Strict-Transport-Security: max-age=31536000; includeSubDomains; preload’);
In-fact, you could configure any one of these headers in exactly the same way. So why use a 2.3k line PHP class instead of a one liner fix for each header?
I started the project as a small class to use for myself to manage CSP policies.
At the time of writing, this is my CSP string:
default-src ‘none’; script-src ‘self’ https://www.google-analytics.com/ ‘nonce-noWJFLxtYDQCaRhA3wzbpnnj0ayxstr6mVat+VcB’ https://platform.twitter.com/js/ https://cdn.syndication.twimg.com/tweets.json ‘strict-dynamic’; style-src ‘self’ https://fonts.googleapis.com/ https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ‘nonce-AzuI9nGHk86GV7NJ5LNZdsKE7mJeUlDPggnW1/R8’ https://platform.twitter.com/css/ https://a.disquscdn.com/next/embed/styles/; img-src ‘self’ https://www.google-analytics.com/ https://platform.twitter.com/css/ https://syndication.twitter.com/i/jot/syndication https://syndication.twitter.com/i/jot https://pbs.twimg.com/ https://i.ytimg.com/vi/ data: https://referrer.disqus.com/juggler/stat.gif https://a.disquscdn.com/next/embed/assets/img/; font-src ‘self’ https://fonts.googleapis.com/ https://fonts.gstatic.com/ https://cdnjs.cloudflare.com/ajax/libs/font-awesome/; base-uri ‘self’; connect-src ‘self’ https://www.google-analytics.com/r/collect; frame-ancestors ‘none’; object-src ‘none’; block-all-mixed-content; upgrade-insecure-requests; report-uri https://aidanwoods.report-uri.io/r/default/csp/enforce; child-src https://syndication.twitter.com/ https://platform.twitter.com/ https://www.youtube.com/embed/ https://disqus.com/embed/comments/ https://disqus.com/home/preload/ https://disqus.com/home/forums/aidanwoods/ https://disqus.com/home/inbox/; frame-src https://syndication.twitter.com/ https://platform.twitter.com/ https://www.youtube.com/embed/ https://disqus.com/embed/comments/ https://disqus.com/home/preload/ https://disqus.com/home/forums/aidanwoods/ https://disqus.com/home/inbox/; form-action https://syndication.twitter.com/ https://platform.twitter.com/;
Obviously, this is not a format that lends itself nicely to debugging and maintaining. While some URIs might be obvious as to their purpose upon reading, things like https://pbs.twimg.com/, for example,
1 Jan, 2017