limesoda-com/ls-security-headers

Configures security headers like content security policy

Maintainers

Details

github.com/LimeSoda/ls_security_headers

Homepage

Source

Issues

Installs: 2 005

Dependents: 0

Suggesters: 0

Security: 0

Stars: 4

Watchers: 6

Forks: 0

Open Issues: 0

Type:typo3-cms-extension

v2.1.0 2024-11-28 13:06 UTC

Requires

GPL-2.0-or-later 47611c57466f49f603f004eaec2313b1c2767050

extensionTYPO3 CMSsecurity headersLIMESODA

This package is auto-updated.

Last update: 2025-03-31 10:05:11 UTC

README

TYPO3 13

TYPO3 Extension ls_security_headers

This extension offers configurable security headers for the frontend. You can easily create and manage them in a database record of your root page in the TYPO3 backend.
This comes in handy if for example resources are regularly added/changed, and you need to update the content security policy (CSP) accordingly.
The extension also offers the generation of CSP nonces.

Setup

  1. Install the extension by using composer
  2. Import the provided site set in your site config or set it as dependency in the site set of your site package(s)
  3. Create a "Security Headers" record on the root page and configure the desired headers
  4. Validate your configuration with the scanners of HTTP Observatory, securityheaders.com and/or many others.

Important Notes

  • It's highly recommended to use this extension only if the TYPO3 core feature security.frontend.enforceContentSecurityPolicy is disabled.
  • Security Headers that are defined in the .htaccess or in some other server configuration will not be overwritten.
  • If EXT:staticfilecache is used, you have to extend the validHtaccessHeaders extension setting.
  • Security Headers for the TYPO3 Backend can be defined in settings.php or additional.php with the BE setting "HTTP".

Features

Nonce support

This extension includes a TypoScript helper function for generating CSP nonces.
All the nonces generated by the function during the request will automatically be added to the Content-Security-Policy header at the end of the request.
Basic usage:

<style nonce="{f:cObject(typoscriptObjectPath: 'lib.cspNonce', data: {length: '32', policy: 'style'})}">

The policy argument defines the policy the nonce should be added to (style for style-src, script for script-src, ...).
The length argument defines the length of the nonce in bytes.

Furthermore, it's possible to get the nonce output as attribute with the flag asAttribute = '1'.
A possible use case is the replacement feature of TypoScript:

page.headerData.200 = COA
page.headerData.200 {
    10 = TEXT
    10.value (
        <script###NONCE###>
            console.log('Hello World');
        </script>
    )
    10.value {
        replacement {
            1 {
                search = ###NONCE###
                replace.stdWrap.postUserFuncInt = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce
                replace.stdWrap.postUserFuncInt {
                    length = 32
                    policy = script
                    asAttribute = 1
                }
            }
        }
    }
}

Additionally, you can write your own library for the cObject-ViewHelper:

lib.nonceAttribute = USER_INT
lib.nonceAttribute {
    userFunc = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce
    length = 32
    policy = script
    asAttribute = 1
}

CSP Reporting

The extension provides local CSP reporting that can be enabled in the extension settings. The reports are stored in the
database and can be accessed in the TYPO3 backend module "Security Headers". Additionally, a dashboard widget is
available for a quick overview.

Ressources