jfd / craft-csp-report
Sets a Content-Security-Policy-Report-Only header, creates an action to receive CSP violation reports, and logs them to a file.
Maintainers
Package info
github.com/jamesforddesign/craft-csp-report
Type:craft-plugin
pkg:composer/jfd/craft-csp-report
Requires
- php: >=8.2
- craftcms/cms: ^5.9.0
README
Sets a Content-Security-Policy-Report-Only header, creates an action to receive CSP violation reports, and logs them to a file.
Requirements
This plugin requires Craft CMS 5.9.0 or later, and PHP 8.3 or later.
How to install
- Install the composer package:
composer require jfd/craft-csp-report
- Install the plugin:
php craft plugin/install _csp-report
How to use
Once installed, the plugin will add a Content-Security-Policy-Report-Only header to all pages.
Violations will be reported to /actions/_csp-report/report/log, which will log the violation to storage/csp-report/csp-report.json.
The contents of this file can be viewed at /actions/_csp-report/report/get.
Whitelisting sources
To whitelist known-good sources:
-
Using the config.php file in the plugin directory as an example, create config/_csp-report.php in your Craft project.
-
Add the sources you wish to whitelist using the following format:
return [
'allowedSources' => [
'script-src' => ["https://cdn.example.com", "'unsafe-inline'"],
'style-src' => ["https://fonts.googleapis.com", "'unsafe-inline'"],
'img-src' => ["https://images.example.com", "data:"],
'font-src' => ["https://fonts.gstatic.com"],
'connect-src' => ["https://api.example.com"],
],
];
Once done, the whitelisted sources will no longer be reported as violations.
How to update this package
After making your changes, tag the release:
git tag 1.0.1 # increment the release version as required
git push --tags