How to use CSP in Laravel to Enhance the App’s Security

CSP (Content Security Policy) are the rules and directives that may allow or reject assets, files and other data to be included, or excluded on a specific page. They are basically the headers we add in the head section. CSPs help decide on what assets, or resources to allow to load for your web page. Using CSPs gives developers the confidence that the users will load secure images, scripts, resources, and all other assets. Let’s go through this tutorial to learn how to use CSP in Laravel.

In Laravel, CSPs allow you to whitelist script sources, styling links, and other assets of your application. Thereby improving the application security. It prevents applications from malicious content by attackers. 

We can use the spatie/laravel-csp package to use CSP in a Laravel application. Use of CSPs can get complex in large applications. However, they are a vital part of an application’s security. Let’s go through the steps on how to add CSP to a Laravel application.

Implementing CSP in Laravel

CSPs are mostly defined in the <meta> tags of your application. They are part of your application’s head, and can be added to the app in many ways. For Laravel applications, the best way is to add them using the spatie/laravel-csp package. 

Step 1: Install the package

Use the command below to install the Laravel CSP Package.

composer require spatie/laravel-csp

Next, you can publish the application’s config file, using the command below.

php artisan vendor:publish --tag=csp-config

This creates the csp.php file inside the config folder of your app.

Step 2: Appy CSP Policy

Next, you should add the CSP headers to your HTTP responses. You can either add CSP to your web routes. This adds individual routes by declaring them in the web.php file as shown below.

Route::get('example-route', 'ExampleController')->middleware(AddCspHeaders::class);

You can also apply the CSP middleware to a group of routes using the command below. 

Route::middleware(AddCspHeaders::class)->group(function () {

   // Add routes here...

});

Another way is to add CSP Header to the web section of your middlewares in the kernel.php file. 

Your app/Http/Kernel.php file should have the CSP header as shown below. 

protected $middlewareGroups = [

  'web' => [

      \Spatie\Csp\AddCspHeaders::class,

  ],

This will automatically add the CSP Headers to all routes that run through the web middleware file. 

Default CSP for Application

The default CSP used for your application will be the one defined in your config/csp.php file as the default key. 

We can have multiple CSPs for a single application. The default key can be updated to add any number of security policies for various assets and resources for a web application. 

A custom policy class can add a predefined set of CSPs for a specific route or a group of routes. 

use App\Support\Csp\Policies\CustomPolicy;

use Spatie\Csp\AddCspHeaders;

Route::middleware(AddCspHeaders::class.':'.CustomPolicy::class)->group(function () {

   // add routes here...

});

The default Content Policy with the package has support for assets and scripts loading from the same domain as your application. So if you are not using any external resources, the default policy is enough for your application. 

Learn more on how to add custom CSP rules to your Laravel Application.