Kirby 3 Plugin for easier Security Headers setup

1.1.3 2019-08-06 20:16 UTC


GitHub release License Kirby Version Kirby 3 Pluginkit

Kirby 3 Plugin for easier Security Headers setup.

🔐 Why should you use this plugin? Because security matters. Protecting your own or your clients websites and their customers data is important.

Commerical Usage

This plugin is free but if you use it in a commercial project please consider to


  • unzip as folder site/plugins/kirby3-security-headers or
  • git submodule add site/plugins/kirby3-security-headers or
  • composer require bnomei/kirby3-security-headers


Automatic Setup

A route:before-hook will take care of setting the headers automatically on all non localhost/webpack setups.

Manual Setup

  • Set bnomei.securityheaders.route.before to false in your config file.
  • Set headers before dumping any other string.
  • Do NOT leave a space between the snippet call and the doctype statement - because reasons.
  • Read the FAQs.
?><!DOCTYPE html>
<!-- ... -->


All settings need to be prefiex with bnomei.securityheaders..


  • default: true will set headers


  • default: false will not set headers in panel


  • default: true will set headers with a route:before-hook


  • default: array of sensible default values. modify as needed.


  • default: null will limit all content to current domain in setting default-src, style-src, script-src, image-src, font-src and connect-src. It will NOT add unsave inline or unsave eval – do use nonces and hashes instead.


  • default: [] allows you to define plain text strings which will be randomized each page refresh to an unique base64 encoded string and defined in header. Use $page->nonce('plain-string') to retrieve the nonce.

TIP: kirby3-htmlhead nonces are always defined.


  • default: [] allows you to set valid hash definitions to headers.


This plugin is provided "as is" with no guarantee. Use it at your own risk and always test it yourself before using it in a production environment. If you find any issues, please create a new issue.



It is discouraged to use this plugin in any project that promotes racism, sexism, homophobia, animal abuse, violence or any other form of hate speech.