sixbysix/magento2-csp-fixer

Magento 2 CSP Fixer

Maintainers

Details

gitlab.com/sixbysix/magento2-csp-fixer

Homepage

Source

Issues

Installs: 18

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Forks: 0

1.0.1 2025-01-17 15:43 UTC

MIT 0d0e0c4b436dee56d1524c0d7a2aa30ad0dae74d

  • Daniel Ness <daniel.woop@sixbysix.co.uk>

This package is auto-updated.

Last update: 2025-01-17 15:45:11 UTC

README

https://gitlab.com/sixbysix/magento2-csp-fixer

This extension provides a number of tools to help you implement a Content Security Policy (CSP) on your Magento 2 store.

Currently Magento stores may operate their CSP policies in report-only mode and remain compliant with PCI DSS. However, this is not a long-term solution and from March 2025 all Magento stores will be required to have a fully operational CSP.

Features

  • HTML Fixer
    • Converts inline event listeners to tag-based event listeners.xs
    • Converts inline styles to tag-based styles.
    • Converts inline scripts to tag-based scripts.
    • Generates nonce attributes for inline scripts and styles.
  • CSP directive management
    • Manage your CSP directives from the Magento admin panel.

Installation

  1. Add the extension to your Magento 2 store using Composer:
     composer require sixbysix/magento2-csp-fixer
  2. Enable the extension:
     bin/magento module:enable SixBySix_CspFixer
 bin/magento setup:upgrade

Configuration

Control mode (Report-Only or Strict-Mode)

  1. Navigate to Stores > Configuration > Security > Content Security Policy (CSP).
  2. Open the Mode section.
  3. Under each section you can enable/disable "Report-Only" mode.

CSP Mode Configuration

Enable fixer

  1. Navigate to Stores > Configuration > Security > Content Security Policy (CSP).
  2. Open the CSP Fixer section.
  3. Set Enabled to Yes.
  4. If you enable the "Debug" option, the fixer will log the changes it makes to the page in MAGE_ROOT/var/log/sixbysix_cspfixer.log.

CSP Fixer Configuration

Manage CSP Policies

  1. Navigate to Stores > Configuration > Security > Content Security Policy (CSP).
  2. Open the CSP Policies section.
  3. Enable or disable the CSP policy injection using the Enabled field.
  4. Under the Policies field, you can add your CSP policies. These will be injected into the CSP whitelist during the page load.

CSP Policies Configuration

Testing

Commits to this repository will trigger a GitLab CI pipeline that will run the following tests.

Note: all tests are executed on a clean Magento 2.4.* instance

  • phpstan
    •
  • phpunit
    •