init

.gitattributes

@@ -0,0 +1,10 @@
+# Path-based git attributes
+# https://www.kernel.org/pub/software/scm/git/docs/gitattributes.html
+
+# Ignore all test and documentation with "export-ignore".
+/.gitattributes     export-ignore
+/.gitignore         export-ignore
+/.travis.yml        export-ignore
+/phpunit.xml.dist   export-ignore
+/.scrutinizer.yml   export-ignore
+/tests              export-ignore

.gitignore

@@ -0,0 +1,4 @@
+build
+composer.lock
+docs
+vendor

.scrutinizer.yml

@@ -0,0 +1,35 @@
+filter:
+    excluded_paths: [tests/*]
+checks:
+    php:
+        code_rating: true
+        remove_extra_empty_lines: true
+        remove_php_closing_tag: true
+        remove_trailing_whitespace: true
+        fix_use_statements:
+            remove_unused: true
+            preserve_multiple: false
+            preserve_blanklines: true
+            order_alphabetically: true
+        fix_php_opening_tag: true
+        fix_linefeed: true
+        fix_line_ending: true
+        fix_identation_4spaces: true
+        fix_doc_comments: true
+tools:
+    external_code_coverage:
+        timeout: 600
+        runs: 1
+    php_analyzer: true
+    php_code_coverage: false
+    php_code_sniffer:
+        config:
+            standard: PSR2
+        filter:
+            paths: ['src']
+    php_loc:
+        enabled: true
+        excluded_dirs: [vendor, tests]
+    php_cpd:
+        enabled: true
+        excluded_dirs: [vendor, tests]

.travis.yml

@@ -0,0 +1,19 @@
+language: php
+
+php:
+  - 5.6
+  - 7.0
+  - hhvm
+
+before_script:
+  - travis_retry composer self-update
+  - travis_retry composer install --no-interaction --prefer-source --dev
+  - travis_retry phpenv rehash
+
+script:
+  - ./vendor/bin/phpcs --standard=psr2 src/
+  - ./vendor/bin/phpunit --coverage-text --coverage-clover=coverage.clover
+
+after_script:
+  - wget https://scrutinizer-ci.com/ocular.phar
+  - php ocular.phar code-coverage:upload --format=php-clover coverage.clover

CHANGELOG.md

@@ -0,0 +1,20 @@
+#Changelog
+
+All Notable changes to `laravel-middleware-csp` will be documented in this file
+
+## NEXT - YYYY-MM-DD
+
+### Added
+- Nothing
+
+### Deprecated
+- Nothing
+
+### Fixed
+- Nothing
+
+### Removed
+- Nothing
+
+### Security
+- Nothing

CONTRIBUTING.md

@@ -0,0 +1,32 @@
+# Contributing
+
+Contributions are **welcome** and will be fully **credited**.
+
+We accept contributions via Pull Requests on [Github](https://github.com/stevenmaguire/laravel-middleware-csp).
+
+
+## Pull Requests
+
+- **[PSR-2 Coding Standard](https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-2-coding-style-guide.md)** - The easiest way to apply the conventions is to install [PHP Code Sniffer](http://pear.php.net/package/PHP_CodeSniffer).
+
+- **Add tests!** - Your patch won't be accepted if it doesn't have tests.
+
+- **Document any change in behaviour** - Make sure the `README.md` and any other relevant documentation are kept up-to-date.
+
+- **Consider our release cycle** - We try to follow [SemVer v2.0.0](http://semver.org/). Randomly breaking public APIs is not an option.
+
+- **Create feature branches** - Don't ask us to pull from your master branch.
+
+- **One pull request per feature** - If you want to do more than one thing, send multiple pull requests.
+
+- **Send coherent history** - Make sure each individual commit in your pull request is meaningful. If you had to make multiple intermediate commits while developing, please squash them before submitting.
+
+
+## Running Tests
+
+``` bash
+$ phpunit
+```
+
+
+**Happy coding**!

LICENSE.md

@@ -0,0 +1,21 @@
+# The MIT License (MIT)
+
+Copyright (c) 2015 Steven Maguire <[email protected]>
+
+> Permission is hereby granted, free of charge, to any person obtaining a copy
+> of this software and associated documentation files (the "Software"), to deal
+> in the Software without restriction, including without limitation the rights
+> to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+> copies of the Software, and to permit persons to whom the Software is
+> furnished to do so, subject to the following conditions:
+>
+> The above copyright notice and this permission notice shall be included in
+> all copies or substantial portions of the Software.
+>
+> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+> IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+> FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+> AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+> LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+> OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+> THE SOFTWARE.

README.md

@@ -0,0 +1,234 @@
+# Content Security Policy Middleware
+
+[![Latest Version](https://img.shields.io/github/release/stevenmaguire/laravel-middleware-csp.svg?style=flat-square)](https://github.com/stevenmaguire/laravel-middleware-csp/releases)
+[![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](LICENSE.md)
+[![Build Status](https://img.shields.io/travis/stevenmaguire/laravel-middleware-csp/master.svg?style=flat-square)](https://travis-ci.org/stevenmaguire/laravel-middleware-csp)
+[![Coverage Status](https://img.shields.io/scrutinizer/coverage/g/stevenmaguire/laravel-middleware-csp.svg?style=flat-square)](https://scrutinizer-ci.com/g/stevenmaguire/laravel-middleware-csp/code-structure)
+[![Quality Score](https://img.shields.io/scrutinizer/g/stevenmaguire/laravel-middleware-csp.svg?style=flat-square)](https://scrutinizer-ci.com/g/stevenmaguire/laravel-middleware-csp)
+[![Total Downloads](https://img.shields.io/packagist/dt/stevenmaguire/laravel-middleware-csp.svg?style=flat-square)](https://packagist.org/packages/stevenmaguire/laravel-middleware-csp)
+
+Provides support for enforcing Content Security Policy with headers in Laravel responses.
+
+## Install
+
+Via Composer
+
+``` bash
+$ composer require stevenmaguire/laravel-middleware-csp
+```
+
+## Usage
+
+### Register as route middleware
+
+``` php
+// within app/Http/Kernal.php
+
+protected $routeMiddleware = [
+    //
+    'secure.content' => \Stevenmaguire\Http\Middleware\Laravel\EnforceContentSecurity::class,
+    //
+];
+```
+
+### Apply content security policy to routes
+
+The following will apply all default profiles to the `gallery` route.
+
+``` php
+// within app/Http/routes.php
+
+Route::get('gallery', ['middleware' => 'secure.content', function () {
+    return 'pictures!';
+}]);
+```
+
+The following will apply all default profiles and a specific `flickr` profile to the `gallery` route.
+
+``` php
+// within app/Http/routes.php
+
+Route::get('gallery', ['middleware' => 'secure.content:flickr', function () {
+    return 'pictures!';
+}]);
+```
+
+
+### Apply content security policy to controllers
+
+The following will apply all default profiles to all methods within the `GalleryController`.
+
+``` php
+// within app/Http/Controllers/GalleryController.php
+
+public function __construct()
+{
+    $this->middleware('secure.content');
+}
+```
+The following will apply all default profiles and a specific `google` profile to all methods within the `GalleryController`.
+
+``` php
+// within app/Http/Controllers/GalleryController.php
+
+public function __construct()
+{
+    $this->middleware('secure.content:google');
+}
+```
+You can include any number of specific profiles to any middleware decoration. For instance, the following will apply default, `google`, `flickr`, and `my_custom` profiles to all methods within the `GalleryController`.
+
+``` php
+// within app/Http/Controllers/GalleryController.php
+
+public function __construct()
+{
+    $this->middleware('secure.content:google,flickr,my_custom');
+}
+```
+
+### Create content security profiles
+
+The default location for content security profiles is `security.content`. If you wish to use this default configuration, ensure your project includes the appropriate configuration files.
+
+The structure of this configuration array is important. The middleware expects to find a `default` key with a string value and a `profiles` key with an array value.
+
+``` php
+// within config/security.php
+
+return [
+    'content' => [
+        'default' => '',
+        'profiles' => [],
+    ],
+];
+
+```
+The `profiles` array contains the security profiles for your application. Each profile name must be unique and is expected to have a value of an array.
+
+``` php
+// within config/security.php
+
+return [
+    'content' => [
+        'default' => '',
+        'profiles' => [
+            'profile_one' => [],
+            'profile_two' => [],
+            'profile_three' => [],
+        ],
+    ],
+];
+
+```
+Each profile array should contain keys that correspond to Content Security Policy directives. The value of each of these directives can be a string, comma-separated string, or array of strings. Each string value should correspond to the domain associated with your directive and profile.
+
+``` php
+// within config/security.php
+
+return [
+    'content' => [
+        'default' => '',
+        'profiles' => [
+            'profile_one' => [
+                'base-uri' => 'https://domain.com,http://google.com',
+            ],
+            'profile_two' => [
+                'font-src' => 'https://domain.com',
+                'base-uri' => [
+                    "'self'",
+                    'http://google.com'
+                ],
+            ],
+            'profile_three' => [
+                'font-src' => [
+                    "'self'"
+                ],
+            ],
+        ],
+    ],
+];
+
+```
+The `default` key value should be a string, comma-separated string, or array of strings that correspond to the unique profile names that you would like to enforce on all responses with minimal content security applied.
+
+``` php
+// within config/security.php
+
+return [
+    'content' => [
+        'default' => 'profile_one',
+        'profiles' => [
+            'profile_one' => [
+                'base-uri' => 'https://domain.com,http://google.com',
+            ],
+            'profile_two' => [
+                'font-src' => 'https://domain.com',
+                'base-uri' => [
+                    "'self'",
+                    'http://google.com'
+                ],
+            ],
+            'profile_three' => [
+                'font-src' => [
+                    "'self'"
+                ],
+            ],
+        ],
+    ],
+];
+
+```
+
+Here is a real-world example:
+
+``` php
+// within config/security.php
+
+return [
+    'content' => [
+        'default' => 'global',
+        'profiles' => [
+            'global' => [
+                'base-uri' => "'self'",
+                'font-src' => [
+                    "'self'",
+                    'fonts.gstatic.com'
+                ],
+                'img-src' => "'self'",
+                'script-src' => "'self'",
+                'style-src' => [
+                    "'self'",
+                    "'unsafe-inline'",
+                    'fonts.googleapis.com'
+                ],
+            ],
+            'flickr' => [
+                'img-src' => [
+                    'https://*.staticflickr.com',
+                ],
+            ],
+        ],
+    ],
+];
+
+```
+
+## Testing
+
+``` bash
+$ ./vendor/bin/phpunit
+```
+
+## Contributing
+
+Please see [CONTRIBUTING](https://github.com/stevenmaguire/laravel-middleware-csp/blob/master/CONTRIBUTING.md) for details.
+
+## Credits
+
+- [Steven Maguire](https://github.com/stevenmaguire)
+- [All Contributors](https://github.com/stevenmaguire/laravel-middleware-csp/contributors)
+
+## License
+
+The MIT License (MIT). Please see [License File](LICENSE.md) for more information.