limesoda-com/ls-security-headers

Configures security headers like content security policy

Installs: 996

Dependents: 0

Suggesters: 0

Security: 0

Stars: 4

Watchers: 7

Forks: 0

Open Issues: 0

Type:typo3-cms-extension

v2.0.0 2024-10-22 10:03 UTC

This package is auto-updated.

Last update: 2024-10-22 10:29:18 UTC


README

TYPO3 13

TYPO3 Extension ls_security_headers

This extension offers configurable security headers for the frontend. You can easily create and manage them in a database record of your root page in the TYPO3 backend.
This comes in handy if for example resources are regularly added/changed, and you need to update the content security policy (CSP) accordingly.
The extension also offers the generation of CSP nonces.

Setup

  1. Install the extension by using composer
  2. Create a "Security Headers" record on the root page and configure the desired headers
  3. Validate your configuration with the scanners of HTTP Observatory, securityheaders.com and/or many others.

Important Notes

  • It's highly recommended to use this extension only if the TYPO3 core feature security.frontend.enforceContentSecurityPolicy is disabled.
  • Security Headers that are defined in the .htaccess or in some other server configuration will not be overwritten.
  • If EXT:staticfilecache is used, you have to extend the validHtaccessHeaders extension setting.
  • Security Headers for the TYPO3 Backend can be defined in settings.php or additional.php with the BE setting "HTTP".

Nonce support

This extension includes a TypoScript helper function for generating CSP nonces.
All the nonces generated by the function during the request will automatically be added to the Content-Security-Policy header at the end of the request.
Basic usage:

<style nonce="{f:cObject(typoscriptObjectPath: 'lib.cspNonce', data: {length: '32', policy: 'style'})}">

The policy argument defines the policy the nonce should be added to (style for style-src, script for script-src, ...).
The length argument defines the length of the nonce in bytes.

Furthermore, it's possible to get the nonce output as attribute with the flag asAttribute = '1'.
A possible use case is the replacement feature of TypoScript:

page.headerData.200 = COA
page.headerData.200 {
    10 = TEXT
    10.value (
        <script###NONCE###>
            console.log('Hello World');
        </script>
    )
    10.value {
        replacement {
            1 {
                search = ###NONCE###
                replace.stdWrap.postUserFuncInt = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce
                replace.stdWrap.postUserFuncInt {
                    length = 32
                    policy = script
                    asAttribute = 1
                }
            }
        }
    }
}

Additionally, you can write your own library for the cObject-ViewHelper:

lib.nonceAttribute = USER_INT
lib.nonceAttribute {
    userFunc = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce
    length = 32
    policy = script
    asAttribute = 1
}

Ressources