Kirby Plugin for easier Security Headers setup

4.0.0 2024-03-01 10:45 UTC


Release Downloads Build Status Coverage Status Maintainability

Kirby Plugin for easier Security Headers setup.

🔐 Why should you use this plugin? Because security matters. Protecting your own or your clients websites and their customers data is important.

  1. Automatic Setup
  2. Setup: Headers
  3. Setup: Loader
  4. Setup: Setter
  5. Frontend Nonce
  6. Settings

Commercial Usage

Support open source!

This plugin is free but if you use it in a commercial project please consider to sponsor me or make a donation.
If my work helped you to make some cash it seems fair to me that I might get a little reward as well, right?

Be kind. Share a little. Thanks.

‐ Bruno
Github sponsor Patreon Buy Me a Coffee Paypal dontation Hire me


  • unzip as folder site/plugins/kirby3-security-headers or
  • git submodule add site/plugins/kirby3-security-headers or
  • composer require bnomei/kirby3-security-headers



A route:before-hook takes care of setting the headers automatically unless one of the following conditions applies:

  • Kirbys global debug mode is true
  • Kirby determins it is a local setup
  • the plugins setting enabled is set to false


The following headers will be applied by default. You can override them in the config file.


return [
    'bnomei.securityheaders.headers' => [
        "X-Powered-By" => "", // unset
        "X-Frame-Options" => "SAMEORIGIN",
        "X-XSS-Protection" => "1; mode=block",
        "X-Content-Type-Options" => "nosniff",
        "strict-transport-security" => "max-age=31536000; includeSubdomains",
        "Referrer-Policy" => "no-referrer-when-downgrade",
        "Permissions-Policy" => 'interest-cohort=()', // flock-off,
        // ... FEATURE POLICIES
    // other options...


The Loader is used to initally create the CSPBuilder object with a given set of data. You skip that, forward a file to load, provide an array or use the default loader file. Using a custom file is recommended when for example adding additional font-src for google web fonts.


return [
    'bnomei.securityheaders.loader' => function () {
        // null if you do NOT want to use default and/or just the setter
            return null;
        // return path of file (json or yaml)
        // or an array of options for the cspbuilder
            return [...];
            return kirby()->roots()->site() . '/your-csp.json';
            return kirby()->roots()->site() . '/your-csp.yml';
        // otherwise forward the default file from this plugin
        return __DIR__ . '/loader.json';
    // other options...


The Setter is applied after the Loader. Use it to add dynamic stuff like hashes and nonces.


return [
    'bnomei.securityheaders.setter' => function (\Bnomei\SecurityHeaders $instance) {
        /** @var ParagonIE\CSPBuilder\CSPBuilder $csp */
            $csp = $instance->csp();
            $nonce = $instance->setNonce('my-inline-script');
            $csp->nonce('script-src', $nonce);
        // in your template retrieve it again with
            $nonce = $page->nonce('my-inline-script');
            => `THIS-IS-THE-NONCE`
            $attr = $page->nonceAttr('my-inline-script');
            => `nonce="THIS-IS-THE-NONCE"`
    // other options...

TIP: nonces are set in the setter and later retrieved using $page->nonce(...) or $page->nonceAttr(...).

Panel and Frontend Nonces

This plugin automatically registers Kirbys nonce for the panel. For convenience it also provides you with a single frontend nonce to use as attribute in <link>, <style> and <script> elements. You can retrieve the nonce with site()->nonce() and the full attribute with site()->nonceAttr().

<?php ?>

<script nonce="<?= site()->nonce() ?>">
// ...

<style <?= site()->nonceAttr() ?>>


TIP: The srcset plugin uses that frontend nonce as well.


bnomei.securityheaders. Default Description
enabled true or false or 'force' will set headers
seed callback returns a seed for frontend nonce
headers array of sensible default values. modify as needed.
loader callback returning filepath or array
setter callback instance which allows customizing the CSPBuilder



This plugin is provided "as is" with no guarantee. Use it at your own risk and always test it yourself before using it in a production environment. If you find any issues, please create a new issue.



It is discouraged to use this plugin in any project that promotes racism, sexism, homophobia, animal abuse, violence or any other form of hate speech.