born05/craft-csp

Content Security Policy (or CSP) generator using nonces.

Installs: 8 470

Dependents: 0

Suggesters: 0

Security: 0

Stars: 10

Watchers: 7

Forks: 10

Open Issues: 0

Type:craft-plugin

3.0.0 2024-08-20 11:44 UTC

This package is auto-updated.

Last update: 2024-11-20 12:26:24 UTC


README

Content Security Policy (or CSP) generator using nonces.

Currently does not work in combination with {% js %}{% endjs %} block code twig tags.

Requirements

  • Craft 4.0.0 and up
  • PHP 8.0.2 and up

Installation

To install the plugin, search the plugin store for "Content Security Policy" or:

composer require born05/craft-csp

Setting up

Either config using config/content-security-policy.php or use nonces:

{# Regular html #}
<script src="url/of/script.js" nonce="{{ cspNonce('script-src') }}"></script>
<link href="url/of/style.css" rel="stylesheet" nonce="{{ cspNonce('style-src') }}" />

{# Twig tags #}
{% css inlineCSS with {nonce: cspNonce('style-src')} %}
{% js 'example.js' with {nonce: cspNonce('script-src')} %}

Example config/content-security-policy.php:

<?php

return [
    'enabled' => true,
    
    'reportOnly' => false,

    'baseUri' => [
        "'none'",
    ],
    'defaultSrc' => [],
    'scriptSrc' => [
        "'self'",
    ],
    'styleSrc' => [
        "'self'",
    ],
    'imgSrc' => [
        "'self'",
    ],
    'connectSrc' => [],
    'fontSrc' => [],
    'objectSrc' => [],
    'mediaSrc' => [],
    'frameSrc' => [],
    'sandbox' => [],
    'reportUri' => [],
    'childSrc' => [],
    'formAction' => [],
    'frameAncestors' => [],
    'pluginTypes' => [],
    'reportTo' => [],
    'workerSrc' => [],
    'manifestSrc' => [],
    'navigateTo' => [],
];

Troubleshooting

If using the SEOMatic plugin, nonces added by that plugin will interfer with this plugin's configuration. You can disable this feature at /admin/seomatic/plugin#tags and re-enable the scripts with the following code:

{% do seomatic.script.get("googleAnalytics").nonce(cspNonce('script-src')) %}

For config options see: Settings.php

License

Copyright © Born05

See license