I have created a laravel web application but when i am running the test on the Owasp ZAP Software for security I am getting the alert of the
Content Security Policy (CSP)
and for solving this CSP when i am creating the middlware
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
class ContentSecurityPolicy
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
$response = $next($request);
// CSP rules as a single-line string to avoid formatting issues
$cspRules = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-src 'self';";
// Set the CSP header
$response->headers->set('Content-Security-Policy', $cspRules);
return $response;
}
}
i am getting the alert of the
CSP: Wildcard Directive
and for this
$cspRules = "default-src 'self';
script-src 'self' https://apis.google.com;
style-src 'self' https://fonts.googleapis.com 'unsafe-inline';
img-src 'self' https://example.com data:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://api.example.com;
frame-src 'self';";
then also i am getting the same alert then how can i solve this to prevent this alert
please help me for this it will be very helpful it's urgent for me please help me
and Thanks in advance for all your support guys
Thank You
{
$response = $next($request);
$response->headers->set('Content-Security-Policy', "
default-src 'self';
script-src 'self';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://api.example.com;
");
return $response;
}
this is my middleware code
Please any one support
Please or to participate in this conversation.