Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Aidan Woods:
Secure Headers for PHP
Jan 09, 2017 @ 13:14:11

In a recent post to his site Aidan Woods shares information (and code) related to the use of secure headers in PHP applications. He's even created a package to help make it easier to drop them into a new or existing project without too much trouble.

Recently I've been working on a drop in class to manage certain "Secure Headers" in PHP. By "Secure Headers", I'm of course talking about those mentioned in the OWASP Secure Headers Project. The project, SecureHeaders is available on GitHub.

He starts by covering why he created the library and what it can help you with including making things like a CSP policy easier to maintain. The article goes on to talk about the Content-Security-Policy header is and what kind of prevention it applies. He also shares how the package displays errors, modifies cookies to secure them (HTTPOnly and Secure flags) as well as provide a "safe mode" that "place an upper limit on things like HSTS and HPKP, and remove flags like includeSubDomains or preload until the header is manually added as a safe mode exception, or safe mode is disabled."

tagged: header security package project csp https cookies

Link: https://www.aidanwoods.com/blog/secure-headers-for-php

DashExamples.com:
Capture Content Security Policy (CSP) Violations in PHP
Aug 22, 2011 @ 09:02:05

From DashExamples.com there's a quick post on how you can set up your application to notify you on content security policy violations and store them back on he server side for later review.

When somebody violates your CSP rules, there is a great feature that can setup for supporting browsers to send back the violations to your server to be saved, processed or whatever. This is a great feature because you can stop a possibly malicious piece of code from executing and learn which scripts may have vulnerabilities in your code.

The reports as delivered by the browser back to your server according to your site's policy setup. They're sent back as a JSON string that is easily parsed and stored. The post shows you a sample database table structure (storing things like request, headers, blocked location and IP address) and the PHP to handle the incoming post. For more about the CSP reports, see Mozilla's example on their Developer section.

tagged: content security violation csp json tutorial mozilla

Link: