bnomei / kirby3-security-headers
Kirby Plugin for easier Security Headers setup
Fund package maintenance!
bnomei
Patreon
buymeacoff.ee/bnomei
paypal.me/bnomei
Installs: 4 259
Dependents: 1
Suggesters: 6
Security: 0
Stars: 26
Watchers: 2
Forks: 2
Open Issues: 7
Type:kirby-plugin
Requires
- php: >=8.1.0
- getkirby/composer-installer: ^1.2
- paragonie/csp-builder: ^2.5
Requires (Dev)
- getkirby/cms: ^4.0
- php-coveralls/php-coveralls: ^2.1
- phpunit/phpunit: ^9.5
Suggests
- bnomei/kirby3-doctor: Add a panel button to check health and security of your Kirby installation
- dev-master
- 4.0.0
- 2.5.5
- 2.5.4
- 2.5.3
- 2.5.2
- 2.5.1
- 2.5.0
- 2.4.2
- 2.4.1
- 2.4.0
- 2.3.2
- 2.3.1
- 2.3.0
- 2.2.5
- 2.2.4
- 2.2.3
- 2.2.2
- 2.2.1
- 2.2.0
- 2.1.0
- 2.0.3
- 2.0.2
- 2.0.1
- 2.0.0
- 1.1.3
- 1.1.2
- 1.1.1
- 1.0.4
- 1.0.3
- 1.0.2
- 1.0.1
- 1.0.0
- 0.6.1
- 0.6.0
- 0.5.7
- 0.5.6
- 0.5.5
- 0.5.4
- 0.5.3
- 0.5.2
- 0.5.1
- 0.5.0
- dev-dependabot/composer/getkirby/cms-3.6.6.2
- dev-dependabot/composer/guzzlehttp/guzzle-7.7.0
- dev-dependabot/composer/guzzlehttp/psr7-2.5.0
This package is auto-updated.
Last update: 2024-03-30 11:04:40 UTC
README
Kirby Plugin for easier Security Headers setup.
🔐 Why should you use this plugin? Because security matters. Protecting your own or your clients websites and their customers data is important.
Commercial Usage
Support open source!
This plugin is free but if you use it in a commercial project please consider to sponsor me or make a donation.
If my work helped you to make some cash it seems fair to me that I might get a little reward as well, right?
Be kind. Share a little. Thanks.
‐ Bruno
| M | O | N | E | Y |
|---|---|---|---|---|
| Github sponsor | Patreon | Buy Me a Coffee | Paypal dontation | Hire me |
Installation
- unzip master.zip as folder
site/plugins/kirby3-security-headersor git submodule add https://github.com/bnomei/kirby3-security-headers.git site/plugins/kirby3-security-headersorcomposer require bnomei/kirby3-security-headers
Setup
Automatic
A route:before-hook takes care of setting the headers automatically unless one of the following conditions applies:
- Kirbys global debug mode is
true - Kirby determins it is a local setup
- the plugins setting
enabledis set tofalse
Header
The following headers will be applied by default. You can override them in the config file.
/site/config/config.php
<?php return [ 'bnomei.securityheaders.headers' => [ "X-Powered-By" => "", // unset "X-Frame-Options" => "SAMEORIGIN", "X-XSS-Protection" => "1; mode=block", "X-Content-Type-Options" => "nosniff", "strict-transport-security" => "max-age=31536000; includeSubdomains", "Referrer-Policy" => "no-referrer-when-downgrade", "Permissions-Policy" => 'interest-cohort=()', // flock-off, // ... FEATURE POLICIES // other options... ];
Loader
The Loader is used to initally create the CSPBuilder object with a given set of data. You skip that, forward a file to load, provide an array or use the default loader file. Using a custom file is recommended when for example adding additional font-src for google web fonts.
/site/config/config.php
<?php return [ 'bnomei.securityheaders.loader' => function () { // https://github.com/paragonie/csp-builder#example // null if you do NOT want to use default and/or just the setter /* return null; */ // return path of file (json or yaml) // or an array of options for the cspbuilder /* return [...]; return kirby()->roots()->site() . '/your-csp.json'; return kirby()->roots()->site() . '/your-csp.yml'; */ // otherwise forward the default file from this plugin return __DIR__ . '/loader.json'; }, // other options... ];
Setter
The Setter is applied after the Loader. Use it to add dynamic stuff like hashes and nonces.
/site/config/config.php
<?php return [ 'bnomei.securityheaders.setter' => function (\Bnomei\SecurityHeaders $instance) { // https://github.com/paragonie/csp-builder#build-a-content-security-policy-programmatically /** @var ParagonIE\CSPBuilder\CSPBuilder $csp */ /* $csp = $instance->csp(); $nonce = $instance->setNonce('my-inline-script'); $csp->nonce('script-src', $nonce); */ // in your template retrieve it again with /* $nonce = $page->nonce('my-inline-script'); => `THIS-IS-THE-NONCE` $attr = $page->nonceAttr('my-inline-script'); => `nonce="THIS-IS-THE-NONCE"` */ }, // other options... ];
TIP: nonces are set in the
setterand later retrieved using$page->nonce(...)or$page->nonceAttr(...).
Panel and Frontend Nonces
This plugin automatically registers Kirbys nonce for the panel. For convenience it also provides you with a single frontend nonce to use as attribute in <link>, <style> and <script> elements. You can retrieve the nonce with site()->nonce() and the full attribute with site()->nonceAttr().
<?php ?> <script nonce="<?= site()->nonce() ?>"> // ... </script> <style <?= site()->nonceAttr() ?>> </style>
TIP: The srcset plugin uses that frontend nonce as well.
Settings
| bnomei.securityheaders. | Default | Description |
|---|---|---|
| enabled | true or false or 'force' |
will set headers |
| seed | callback |
returns a seed for frontend nonce |
| headers | array |
of sensible default values. modify as needed. |
| loader | callback |
returning filepath or array |
| setter | callback |
instance which allows customizing the CSPBuilder |
Dependencies
Disclaimer
This plugin is provided "as is" with no guarantee. Use it at your own risk and always test it yourself before using it in a production environment. If you find any issues, please create a new issue.
License
It is discouraged to use this plugin in any project that promotes racism, sexism, homophobia, animal abuse, violence or any other form of hate speech.