README

https://gitlab.com/sixbysix/magento2-csp-fixer

This extension provides a number of tools to help you implement a Content Security Policy (CSP) on your Magento 2 store.

Currently Magento stores may operate their CSP policies in report-only mode and remain compliant with PCI DSS. However, this is not a long-term solution and from March 2025 all Magento stores will be required to have a fully operational CSP.

Features

• HTML Fixer
  • Converts inline event listeners to tag-based event listeners.xs
  • Converts inline styles to tag-based styles.
  • Converts inline scripts to tag-based scripts.
  • Generates nonce attributes for inline scripts and styles.
• CSP directive management
  • Manage your CSP directives from the Magento admin panel.

Installation

1. Add the extension to your Magento 2 store using Composer:

    composer require sixbysix/magento2-csp-fixer
   

2. Enable the extension:

    bin/magento module:enable SixBySix_CspFixer
    bin/magento setup:upgrade
   

Configuration

Control mode (Report-Only or Strict-Mode)

1. Navigate to Stores > Configuration > Security > Content Security Policy (CSP).
2. Open the Mode section.
3. Under each section you can enable/disable "Report-Only" mode.

Enable fixer

1. Navigate to Stores > Configuration > Security > Content Security Policy (CSP).
2. Open the CSP Fixer section.
3. Set Enabled to Yes.
4. If you enable the "Debug" option, the fixer will log the changes it makes to the page in MAGE_ROOT/var/log/sixbysix_cspfixer.log.

Manage CSP Policies

1. Navigate to Stores > Configuration > Security > Content Security Policy (CSP).
2. Open the CSP Policies section.
3. Enable or disable the CSP policy injection using the Enabled field.
4. Under the Policies field, you can add your CSP policies. These will be injected into the CSP whitelist during the page load.

Testing

Commits to this repository will trigger a GitLab CI pipeline that will run the following tests.

Note: all tests are executed on a clean Magento 2.4.* instance

• phpstan

• phpunit