Use Content Security Policy

Content Security Policy (CSP) is a security mechanism that helps prevent cross-site scripting (XSS) attacks by restricting the types of content that can be loaded on a web page. By setting a CSP header, you can specify which sources of content are allowed to be loaded on your Laravel application.

To enable CSP in your Laravel application, add a Content-Security-Policy header to your web server configuration or use a Laravel middleware to set the header. Here’s an example middleware that sets a basic CSP header:

namespace App\Http\Middleware;

use Closure;

class ContentSecurityPolicy
{
    public function handle($request, Closure $next)
    {
        $response = $next($request);

        $csp = "default-src 'self'; script-src 'self' 'unsafe-inline';";
        $response->header('Content-Security-Policy', $csp);

        return $response;
    }
}

Add the ContentSecurityPolicy middleware to the $middleware array in app/Http/Kernel.php:

protected $middleware = [
    // ...
    \App\Http\Middleware\ContentSecurityPolicy::class,
];

Worpress

Getting Started

Theme Setup

Sanitization

Form

Reference

Quality Assurance

Code Snippets

AMC Guide

Laravel

Best Practices

Use Content Security Policy