# NAME HTTP::CSPHeader - manage dynamic content security policy headers # VERSION version v0.4.0 # SYNOPSIS ```perl use HTTP::CSPheader; my $csp = HTTP::CSPheader->new( policy => { "default-src" => q['self'], "script-src" => q['self' cdn.example.com], }, nonces_for => [qw/ script-src /], ); ... use HTTP::Headers; my $h = HTTP::Headers->new; $csp->reset; $csp->amend( "+script-src" => "https://captcha.example.com", "+style-src" => "https://captcha.example.com", ); my $nonce = $csp->nonce; $h->header( 'Content-Security-Policy' => $csp->header ); my $body = ... $body .= ""; ``` # DESCRIPTION This module allows you to manage Content-Security-Policy (CSP) headers. It supports dynamic changes to headers, for example, adding a source for a specific page, or managing a random nonce for inline scripts or styles. It also supports caching, so that the header will only be regenerated if there is a change. # ATTRIBUTES ## policy This is a hash reference of policies. The keys a directives, and the values are sources. There is no validation of these values. ## nonces\_for This is an array reference of the directives to add a random ["nonce"](#nonce) to when the ["policy"](#policy) is regenerated. Note that the same nonce will be added to all of the directives, since using separate nonces does not improve security. It is emply by default. A single value will be coerced to an array. This does not validate the values. Note that if a directive allows `'unsafe-inline'` then a nonce may cancel out that value. ## nonce This is the random nonce that is added to directives in ["nonces\_for"](#nonces_for). The nonce is a random string, generated by [Session::Token](https://metacpan.org/pod/Session%3A%3AToken) and based on `/dev/urandom`. If you want to change how it is generated, you can override the `_build_nonce` method in a subclass. Note that you should never make an assumption about the format of the nonce, as the source may change in future versions. ## header This is the value of the header, generated from the ["policy"](#policy). This is a read-only accessor. # METHODS ## reset This resets any changes to the ["policy"](#policy) and clears the ["nonce"](#nonce). It should be run at the start of each HTTP request. If you never make use of the nonce, and never ["amend"](#amend) the headers, then you do not need to run this method. ## amend ```perl $csp->amend( $directive1 => $value1, $directive2 => $value2, ... ); ``` This amends the ["policy"](#policy). If the `$directive` starts with a `+` then the value will be appended to it. Otherwise the change will overwrite the value. If the value is `undef`, then the directive will be deleted. # EXAMPLES ## Mojolicious You can use this with [Mojolicious](https://metacpan.org/pod/Mojolicious): ```perl use HTTP::CSPHeader; use feature 'state'; $self->hook( before_dispatch => sub ($c) { state $csp = HTTP::CSPHeader->new( policy => { 'default-src' => q['self'], 'script-src' => q['self'], }, nonces_for => 'script-src', ); $csp->reset; $c->stash( csp_nonce => $csp->nonce ); $c->res->headers->content_security_policy( $csp->header ); } ); ``` and in your templates, you can use the following for inline scripts: ``` ``` If you do not need the nonce, then you might consider using [Mojolicious::Plugin::CSPHeader](https://metacpan.org/pod/Mojolicious%3A%3APlugin%3A%3ACSPHeader). # SUPPORT FOR OLDER PERL VERSIONS This module requires Perl v5.14 or later. Future releases may only support Perl versions released in the last ten (10) years. # SEE ALSO [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) [HTTP::SecureHeaders](https://metacpan.org/pod/HTTP%3A%3ASecureHeaders) [Plack::Middleware::CSP](https://metacpan.org/pod/Plack%3A%3AMiddleware%3A%3ACSP) # SOURCE The development version is on github at [https://github.com/robrwo/perl-HTTP-CSPHeader](https://github.com/robrwo/perl-HTTP-CSPHeader) and may be cloned from [git://github.com/robrwo/perl-HTTP-CSPHeader.git](git://github.com/robrwo/perl-HTTP-CSPHeader.git) # BUGS Please report any bugs or feature requests on the bugtracker website [https://github.com/robrwo/perl-HTTP-CSPHeader/issues](https://github.com/robrwo/perl-HTTP-CSPHeader/issues) When submitting a bug or request, please include a test-file or a patch to an existing test-file that illustrates the bug or desired feature. # AUTHOR Robert Rothenberg # COPYRIGHT AND LICENSE This software is Copyright (c) 2022-2024 by Robert Rothenberg. This is free software, licensed under: ``` The Artistic License 2.0 (GPL Compatible) ```