Privex内容安全策略生成器（CSP Gen）

一个用于生成内容安全策略（CSP）的Python工具，无需不断重复自己。

+===================================================+
|                 © 2021 Privex Inc.                |
|               https://www.privex.io               |
+===================================================+
|                                                   |
|   CSPGen - Python Content Sec Policy Generator    |
|   License: X11/MIT                                |
|                                                   |
|        Core Developer(s):                         |
|                                                   |
|          (+)  Chris (@someguy123) [Privex]        |
|          (+)  Kale (@kryogenic) [Privex]          |
|                                                   |
+===================================================+

CSPGen - A Python tool for generating Content Security Policies without constantly repeating yourself.
Copyright (c) 2021    Privex Inc. ( https://www.privex.io )

快速入门

# Install/Upgrade CSPGen using python3 pip as root
sudo -H python3 -m pip install -U privex-cspgen
# Or if you don't have root access / don't trust installing as root, you can install
# as a normal user, as long as $HOME/.local/bin is in your $PATH
python3 -m pip install --user -U privex-cspgen 
# Use the 'rehash' command to rescan PATH for new executables, for tab completion to work reliable
rehash

# Use --example to create an INI file using our example.ini template, which you can
# then adjust to your own CSP needs
csp-gen --example > my_csp.ini
# Open up my_csp.ini in your favourite editor, and adjust to your specific needs (e.g. nano)
nano my_csp.ini
# Parse my_csp.ini into browser Content-Security-Policy header format, outputting the result to my_header.txt
csp-gen my_csp.ini | tee -a my_header.txt
# NOTE: If something is wrong with the binary, you can run cspgen via the Python module instead
python3 -m privex.cspgen my_csp.ini | tee -a my_header.txt
# If you have some sort-of INI auto-generation, or simply want to do some pre-processing of your INI with unix tools,
# then you can simply pipe an INI config into csp-gen
cat my_csp.ini | csp-gen | tee -a my_header.txt

# If you wanted to make the CSP header more readable - assuming the web server you're gonna use it on allows newlines,
# you can use --section-sep to separate each CSP section (img-src, media-src etc.) with a newline
csp-gen --section-sep "\n" my_csp.ini

Docker快速入门

我们的DockerHub镜像: privex/cspgen

我们的镜像基于python:3.9-alpine，以确保最小的镜像大小，因为CSPGen不需要任何特殊库，这些库需要基于完整debain的镜像。

# Alias the docker run command to 'cspgen' for convenience
alias cspgen="docker run --rm -i privex/cspgen"
# Generate an example .ini file
cspgen --example > my_csp.ini
# Adjust the INI file to your CSP needs
nano my_csp.ini
# Once your INI file is ready to be converted, pipe it in via STDIN
# (docker cannot access your files unless you mount a volume onto /data)
cspgen < my_csp.ini
# If you wanted to make the CSP header more readable - assuming the web server you're gonna use it on allows newlines,
# you can use --section-sep to separate each CSP section (img-src, media-src etc.) with a newline
cspgen --section-sep "\n" < my_csp.ini

安装

从pip3

CSPGen可以通过使用标准的pip3包管理器轻松地从PyPi安装。

# Install/Upgrade CSPGen using pip3 as root
sudo -H pip3 install -U privex-cspgen
# Or if you don't have root access / don't trust installing as root, you can install
# as a normal user, as long as $HOME/.local/bin is in your $PATH
pip3 install --user -U privex-cspgen 
# If you have problems using pip3, then use python3 / python3.x to call the pip module
python3.7 -m pip install --user -U privex-cspgen

从源代码仓库

# Install pipenv if you don't already have it installed.
# Ideally install it using whatever the latest version of python is - on your system
python3.8 -m pip install -U pipenv

git clone https://github.com/Privex/cspgen.git
cd cspgen
# Create a virtualenv + install required deps + development deps
pipenv install --dev
# Activate the virtualenv (use 'exit' to deactivate a pipenv virtualenv)
pipenv shell
# Use run.py to run the CLI from the repo directly
./run.py --example > my_csp.ini
./run.py my_csp.ini

从Docker（DockerHub）

###
# You can run privex/cspgen directly, and docker should auto download it from Docker Hub.
# Use the image just like you would the normal csp-gen EXE
###
docker run --rm -i privex/cspgen --example > my_csp.ini
docker run --rm -i privex/cspgen < my_csp.ini
###
# You can use 'docker pull' to manually download, or update the cspgen image
###
docker pull privex/cspgen
###
# You can re-tag our image to an easier to type image name
###
docker tag privex/cspgen cspgen
docker run --rm -i cspgen < my_csp.ini

从Docker（从仓库Dockerfile构建镜像）

git clone https://github.com/Privex/cspgen.git
cd cspgen
docker build -t cspgen .
docker run --rm -i cspgen < my_csp.ini

用法

示例INI文件

安装CSPGen后，您可以在任何喜欢的文件夹中开始创建CSP模板文件，格式为INI。

以下是一个基本的INI模板示例，涵盖了大多数基本内容

[groups]
# First we define cdn, onions, and i2p
cdn = https://cdn.privex.io cdn.privex.i2p files.privex.i2p files.privex.io https://www.privex.io
onions = privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion
i2p = privex.i2p www.privex.i2p pay.privex.i2p
# Now we can add our main websites, PLUS the onions, and i2p variables
websites = https://www.privex.io https://pay.privex.io https://privex.io {{onions}} {{i2p}}
# While defaultsrc will contain 'self' + websites + cdn
defaultsrc = 'self' {{websites}} {{cdn}}

images = https://i.imgur.com https://ipfs.io https://cloudflare-ipfs.com
video = https://youtube.com https://vimeo.com
media = {{video}} {{images}}

[default-src]
# For default-src, we can simply set zones to use the defaultsrc var
zones = {{defaultsrc}}
# Enable unsafe-inline and disable unsafe-eval for default-src
unsafe-inline = true
unsafe-eval = false

[img-src]
zones = {{defaultsrc}} {{images}} {{trustpilot}}

[media-src]
zones = {{defaultsrc}} {{media}}

[flags]
# Special header 'flags'. We can set the independent CSP flag 'upgrade-insecure-requests' here.
flags = upgrade-insecure-requests

加载INI文件

假设我们将其保存为my_csp.ini，它可以通过两种不同的方式加载

作为命令行参数

您可以将一个或多个文件名作为位置CLI参数传递给csp-gen。目前我们只传递一个

csp-gen my_csp.ini
# NOTE: If something is wrong with the binary, you can run cspgen via the Python module instead
python3 -m privex.cspgen my_csp.ini

通过标准输入管道传输

符合UNIX标准，该工具还可以通过标准输入接受配置，并通过标准输出输出生成的CSP配置。任何日志（如果通过设置环境变量LOG_LEVEL=DEBUG启用了日志记录）默认发送到标准错误输出，以防止与通过标准输出打印的配置混淆。

cat my_csp.ini | csp-gen | tee -a output.txt

您还可以将文件名设置为-，就像使用gzip、tar和其他UNIX/Linux程序一样，强制从标准输入读取。

cat my_csp.ini | csp-gen - | tee -a output.txt

自定义输出格式

目前有两个自定义选项可用

• --section-sep - 用于每个“部分”之间（如default-src、img-src、media-src等）的分隔符。

  默认为' '（一个空格）

• --file-sep - 用于每个INI文件输出配置的分隔符。这仅在您一次向csp-gen传递多个INI配置文件时才有意义。

  默认为：'\n\n'（两个换行符）。

请注意，您不需要传递实际的换行符/回车符/制表符字符，因为脚本将自动将文本格式中的\n、\r和\t转换为它们的实际单字符版本。

示例

csp-gen --section-sep "\t" --file-sep "\n\n--NEXT--\n\n\t" my_csp.ini example.ini

这将导致输出（以下输出中的行中断是在复制后添加的，以提高可读性）

default-src: 'self' https://www.privex.io https://pay.privex.io https://privex.io 
privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p https://cdn.privex.io 
cdn.privex.i2p files.privex.i2p files.privex.io 'unsafe-inline'; img-src: 'self' https://www.privex.io https://pay.privex.io 
https://privex.io privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p https://cdn.privex.io 
cdn.privex.i2p files.privex.i2p files.privex.io https://i.imgur.com https://ipfs.io 
https://cloudflare-ipfs.com;   media-src: 'self' https://www.privex.io https://pay.privex.io https://privex.io 
privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p https://cdn.privex.io 
cdn.privex.i2p files.privex.i2p files.privex.io https://youtube.com https://vimeo.com https://i.imgur.com 
https://ipfs.io https://cloudflare-ipfs.com;   upgrade-insecure-requests;

--NEXT--

    default-src: 'self' https://www.privex.io https://pay.privex.io https://privex.io 
privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p https://cdn.
privex.io cdn.privex.i2p files.privex.i2p files.privex.io 'unsafe-inline'; style-src: 'self' https://www.privex.io 
https://pay.privex.io https://privex.io privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p https://cdn.
privex.io cdn.privex.i2p files.privex.i2p files.privex.io https://widget.trustpilot.com https://trustpilot.com 
https://fonts.gstatic.com https://fonts.googleapis.com 'unsafe-inline';     script-src: 'self' https://www.privex.io 
https://pay.privex.io https://privex.io privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion  
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p 
https://cdn.privex.io cdn.privex.i2p files.privex.i2p files.privex.io https://widget.trustpilot.com  
https://trustpilot.com 'unsafe-inline';   font-src: 'self' https://www.privex.io https://pay.privex.io  
https://privex.io privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p 
https://cdn.privex.io cdn.privex.i2p files.privex.i2p files.privex.io https://widget.trustpilot.com 
https://trustpilot.com https://fonts.gstatic.com https://fonts.googleapis.com;      img-src: 'self' 
https://www.privex.io https://pay.privex.io https://privex.io 
privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p 
pay.privex.i2p https://cdn.privex.io cdn.privex.i2p files.privex.i2p files.privex.io 
https://i.imgur.com https://ipfs.io https://cloudflare-ipfs.com https://widget.trustpilot.com 
https://trustpilot.com;      media-src: 'self' https://www.privex.io https://pay.privex.io 
https://privex.io privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p 
https://cdn.privex.io cdn.privex.i2p files.privex.i2p files.privex.io https://youtube.com https://vimeo.com 
https://i.imgur.com https://ipfs.io https://cloudflare-ipfs.com;   object-src: 'self' https://www.privex.io 
https://pay.privex.io https://privex.io privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p 
https://cdn.privex.io cdn.privex.i2p files.privex.i2p files.privex.io https://youtube.com https://vimeo.com 
https://i.imgur.com https://ipfs.io https://cloudflare-ipfs.com;  form-action: 'self' https://www.privex.io 
https://pay.privex.io https://privex.io privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p 
https://cdn.privex.io cdn.privex.i2p files.privex.i2p files.privex.io https://hived.privex.io;       
connect-src: 'self' https://www.privex.io https://pay.privex.io https://privex.io 
privex3guvvasyer6pxz2fqcgy56auvw5egkir6ykwpptferdcb5toad.onion 
privexqvhkwdsdnjofrsm7reaixclmzpbpveefiu4uctfm2l4mycnwad.onion privex.i2p www.privex.i2p pay.privex.i2p 
https://cdn.privex.io cdn.privex.i2p files.privex.i2p files.privex.io 
https://hived.privex.io;       upgrade-insecure-requests;

将存储库编译成一个自包含的PYZ（ZIP）可执行文件

要求 + 编译

完成之后，您将在dist/csp-gen.pyz处获得一个完全自包含的Python应用程序，可以在任何Linux/Unix/macOS系统上作为正常可执行文件执行，并且用户只需安装Python 3即可，无需使用pip3安装，因为所有依赖项都打包在.PYZ文件中。

编译所需

• Linux / UNIX（类似）操作系统。应在以下系统上工作
  • Linux发行版：Ubuntu 18.04+、Debian 10+（Buster或更新）、Fedora（30+）、CentOS（6+）、RHEL、Oracle，可能还有其他大多数系统
  • BSD发行版：FreeBSD、OpenBSD、NetBSD，以及大多数其他系统
  • macOS：过去10年中的任何版本。我建议不要早于Mavericks（10.9）。
• Linux/UNIX zip CLI应用程序（apt install -y zip、dnf install -y zip、brew install zip）
• bash shell，用于执行compile.sh脚本。可能不兼容4.0之前的bash版本
• Python 3.6+（可能是3.7+）和pip3（Python 3模块的pip）

git clone https://github.com/Privex/cspgen.git
cd cspgen
./compile.sh

现在您应该有一个完全自包含的Python应用程序在dist/csp-gen.pyz处 :)

使用PYZ文件

使用PYZ文件的最简单方法是将它复制到/usr/local/bin/csp-gen，如下所示

# By using 'install', it will ensure 'csp-gen' has the correct perms to be read and ran by all users.
sudo install dist/csp-gen.pyz /usr/local/bin/csp-gen

现在您应该能够像平常一样运行csp-gen。PYZ的好处是您可以像分发静态二进制文件一样分发PYZ，它包含应用程序运行所需的所有依赖项 - 在单个文件中。

它不需要用户执行pipenv install、设置虚拟环境或类似操作。他们只需确保已安装Python 3.6或更高版本即可。

user@host $ csp-gen -V

    Content Security Policy (CSP) Generator

        Version: v0.5.0
        Github:  https://github.com/Privex/cspgen
        License: X11 / MIT

        (C) 2021 Privex Inc. ( https://www.privex.io )

许可证

CSPGen遵循X11 / MIT许可证。

请参阅文件LICENSE.txt或LICENSE以获取完整的许可证文本。

感谢阅读！

如果此项目对您有所帮助，请考虑从Privex购买VPS或专用服务器 - 价格低至每月0.99美元USD（我们接受加密货币！）