limesoda-com / ls-security-headers
Configures security headers like content security policy
Installs: 996
Dependents: 0
Suggesters: 0
Security: 0
Stars: 4
Watchers: 7
Forks: 0
Open Issues: 0
Type:typo3-cms-extension
Requires
- php: >=8.2 <=8.3.99
- typo3/cms-core: ^13.4
README
TYPO3 Extension ls_security_headers
This extension offers configurable security headers for the frontend. You can easily create and manage them
in a database record of your root page in the TYPO3 backend.
This comes in handy if for example resources are regularly added/changed, and you need to update the content security
policy (CSP) accordingly.
The extension also offers the generation of CSP nonces.
Setup
- Install the extension by using composer
- Create a "Security Headers" record on the root page and configure the desired headers
- Validate your configuration with the scanners of HTTP Observatory, securityheaders.com and/or many others.
Important Notes
- It's highly recommended to use this extension only if the TYPO3 core feature
security.frontend.enforceContentSecurityPolicy
is disabled. - Security Headers that are defined in the
.htaccess
or in some other server configuration will not be overwritten. - If EXT:staticfilecache is used, you have to extend the validHtaccessHeaders extension setting.
- Security Headers for the TYPO3 Backend can be defined in
settings.php
oradditional.php
with the BE setting "HTTP".
Nonce support
This extension includes a TypoScript helper function for generating CSP nonces.
All the nonces generated by the function during the request will automatically be added to the Content-Security-Policy
header at the end of the request.
Basic usage:
<style nonce="{f:cObject(typoscriptObjectPath: 'lib.cspNonce', data: {length: '32', policy: 'style'})}">
The policy argument defines the policy the nonce should be added to (style for style-src, script for
script-src, ...).
The length argument defines the length of the nonce in bytes.
Furthermore, it's possible to get the nonce output as attribute with the flag asAttribute = '1'
.
A possible use case is the replacement feature of TypoScript:
page.headerData.200 = COA
page.headerData.200 {
10 = TEXT
10.value (
<script###NONCE###>
console.log('Hello World');
</script>
)
10.value {
replacement {
1 {
search = ###NONCE###
replace.stdWrap.postUserFuncInt = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce
replace.stdWrap.postUserFuncInt {
length = 32
policy = script
asAttribute = 1
}
}
}
}
}
Additionally, you can write your own library for the cObject-ViewHelper:
lib.nonceAttribute = USER_INT
lib.nonceAttribute {
userFunc = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce
length = 32
policy = script
asAttribute = 1
}