basecom/magento2-csp-split-header

Magento 2 module to split oversized CSP headers into multiple headers.

Maintainers

Details

github.com/basecom/magento2-csp-split-header

Source

Issues

Installs: 852

Dependents: 0

Suggesters: 0

Security: 0

Stars: 34

Watchers: 3

Forks: 1

Open Issues: 0

Type:magento2-module

1.0.6 2024-10-07 08:37 UTC

Requires

  • php: ~8.1
  • magento/framework: *
  • magento/module-backend: *
  • magento/module-config: *
  • magento/module-csp: *

MIT 9cbf551c20ad7b02a1348adb4015f7efd42185b0

  • Team Magento @basecom <magento.woop@basecom.de>

This package is auto-updated.

Last update: 2024-11-10 07:18:03 UTC

README

Packagist Software License Supported Magento Versions

Important

As of Magento 2.4.7 it is no longer possible to deactivate the Magento CSP module.

With a growing Content Security Policies (CSP) whitelist, the problem can arise that the headers Content-Security-Policy-Report-Only and/or Content-Security-Policy become so large that they exceed the maximum permitted size of a header field, causing the web server to not process the response any further.

The CSP mechanism allows multiple policies to be specified for a resource, including via the Content-Security-Policy header, the Content-Security-Policy-Report-Only header and a meta element [MDN]. Therefore, the headers can be specified more than once.

This is where the module comes into play. It implements an after method plugin for the method Magento\Csp\Model\Policy\Renderer\SimplePolicyHeaderRenderer::render, which replaces the existing CSP headers via the method \Magento\Framework\App\Response\HttpInterface::setHeader. The header is read, split so that the syntax remains valid, and replaced by the new headers. The result is a separate header for each directive, each of which should no longer exceed the maximum permitted length of the web server.

Tip

If the headers are too large even after splitting, try to identify unnecessary Magento modules and remove them.

Installation

  1. Install it into your Magento 2 project with composer:

    composer require basecom/magento2-csp-split-header

  2. Enable module

    bin/magento setup:upgrade

Configuration

These values can be updated in the system configuration under Basecom -> Content Security Policy -> Enable.

Example

  1. CSP splitting disabled

    Content-Security-Policy: default-src 'self' https://example.com; connect-src 'none'; script-src https://example.com/;

  2. CSP splitting enabled

    Content-Security-Policy: default-src 'self' https://example.com; 
Content-Security-Policy: connect-src 'none'; 
Content-Security-Policy: script-src https://example.com/;

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email magento@basecom.de instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

Copyright

© 2024 basecom GmbH & Co. KG