EN FR
← Packages

jdz/cspmaker

Content Security Policy header builder with integration recipes

Overview

Build Content Security Policy header strings without forgetting a directive. A third party like Matomo must be whitelisted in script-src and img-src and connect-src — hand-list those and you will eventually forget one, and the browser silently blocks the request. cspMaker is one source of truth for the CSP directive vocabulary, plus reusable integration recipes that know every directive a service touches.

Features

  • Fluent builder: CspBuilder::create()->defaultSrc("'none'")->scriptSrc('self')…->build()
  • Integration recipes — ->matomo($host) whitelists script + img + connect + frame atomically; Google Fonts and friends included
  • ->allowHost($host, ['script','img','connect']) — one host across many directives when there's no recipe
  • Config-driven builds: CspBuilder::fromYaml('config/csp.yml') or from a plain array
  • PHP 8.2+, zero runtime dependencies (symfony/yaml only for fromYaml())
  • Powers the CSP blocks emitted by jdz/htaccessmaker

Installation

composer require jdz/cspmaker