{"id":15654717,"url":"https://github.com/bnomei/kirby3-security-headers","last_synced_at":"2025-04-13T06:42:32.098Z","repository":{"id":37587517,"uuid":"142447662","full_name":"bnomei/kirby3-security-headers","owner":"bnomei","description":"Kirby Plugin for easier Content Security Policy Headers","archived":false,"fork":false,"pushed_at":"2025-02-11T12:05:53.000Z","size":597,"stargazers_count":26,"open_issues_count":4,"forks_count":3,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-26T23:09:23.133Z","etag":null,"topics":["apache","content-security-policy","csp","hash","json","kirby","kirby-cms","kirby-plugin","kirby4","kirby5","nginx","nonce","security-headers","yaml"],"latest_commit_sha":null,"homepage":"https://forum.getkirby.com/t/kirby3-security-headers-best-practice-headers-nonce-csp-and-feature-policies/23583","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bnomei.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"bnomei","patreon":"bnomei","open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":["https://buymeacoff.ee/bnomei","https://paypal.me/bnomei"]}},"created_at":"2018-07-26T13:51:21.000Z","updated_at":"2025-02-11T12:05:47.000Z","dependencies_parsed_at":"2024-01-12T12:56:39.871Z","dependency_job_id":"0922d00b-4002-4883-9a7b-1c977599838d","html_url":"https://github.com/bnomei/kirby3-security-headers","commit_stats":{"total_commits":92,"total_committers":3,"mean_commits":"30.666666666666668","dds":0.3586956521739131,"last_synced_commit":"dca5a1b763cd18cda5a5601a715627213852b732"},"previous_names":[],"tags_count":48,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bnomei%2Fkirby3-security-headers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bnomei%2Fkirby3-security-headers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bnomei%2Fkirby3-security-headers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bnomei%2Fkirby3-security-headers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bnomei","download_url":"https://codeload.github.com/bnomei/kirby3-security-headers/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248675440,"owners_count":21143763,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache","content-security-policy","csp","hash","json","kirby","kirby-cms","kirby-plugin","kirby4","kirby5","nginx","nonce","security-headers","yaml"],"created_at":"2024-10-03T12:53:38.547Z","updated_at":"2025-04-13T06:42:32.079Z","avatar_url":"https://github.com/bnomei.png","language":"PHP","funding_links":["https://github.com/sponsors/bnomei","https://patreon.com/bnomei","https://buymeacoff.ee/bnomei","https://paypal.me/bnomei","https://www.buymeacoffee.com/bnomei"],"categories":[],"sub_categories":[],"readme":"# Kirby Content Security Policy Header\n\n[![Kirby 5](https://flat.badgen.net/badge/Kirby/5?color=ECC748)](https://getkirby.com)\n![PHP 8.2](https://flat.badgen.net/badge/PHP/8.2?color=4E5B93\u0026icon=php\u0026label)\n![Release](https://flat.badgen.net/packagist/v/bnomei/kirby3-security-headers?color=ae81ff\u0026icon=github\u0026label)\n![Downloads](https://flat.badgen.net/packagist/dt/bnomei/kirby3-security-headers?color=272822\u0026icon=github\u0026label)\n[![Coverage](https://flat.badgen.net/codeclimate/coverage/bnomei/kirby3-security-headers?icon=codeclimate\u0026label)](https://codeclimate.com/github/bnomei/kirby3-security-headers)\n[![Maintainability](https://flat.badgen.net/codeclimate/maintainability/bnomei/kirby3-security-headers?icon=codeclimate\u0026label)](https://codeclimate.com/github/bnomei/kirby3-security-headers/issues)\n[![Discord](https://flat.badgen.net/badge/discord/bnomei?color=7289da\u0026icon=discord\u0026label)](https://discordapp.com/users/bnomei)\n[![Buymecoffee](https://flat.badgen.net/badge/icon/donate?icon=buymeacoffee\u0026color=FF813F\u0026label)](https://www.buymeacoffee.com/bnomei)\n\nKirby Plugin for easier Content Security Policy (CSP) Headers setup.\n\n## Installation\n\n- unzip [master.zip](https://github.com/bnomei/kirby3-security-headers/archive/master.zip) as folder\n `site/plugins/kirby3-security-headers` or\n- `git submodule add https://github.com/bnomei/kirby3-security-headers.git site/plugins/kirby3-security-headers` or\n- `composer require bnomei/kirby3-security-headers`\n\n## Default CSP Headers\n\nThe following headers will be applied by default, you do not need to set them explicitly. They provide a good starting\npoint for most websites and ensure a sane level of security.\n\n```yaml\nX-Powered-By: \"\" # unset\nX-Frame-Options: \"SAMEORIGIN\"\nX-XSS-Protection: \"1; mode=block\"\nX-Content-Type-Options: \"nosniff\"\nStrict-Transport-Security: \"max-age=31536000; includeSubdomains\"\nReferrer-Policy: \"no-referrer-when-downgrade\"\nPermissions-Policy: \"interest-cohort=()\" # flock-off\n# + various Feature-Policies...\n```\n\n\u003e [!TIP]\n\u003e See `\\Bnomei\\SecurityHeaders::HEADERS_DEFAULT` for more details.\n\n## Zero Configuration? Almost.\n\nInstalling the plugin is enough to protect your website. A `route:before`-hook takes care of sending the CSP headers\nautomatically. But you will most likely need to customize the CSP headers when using third-party services like\n\n- Content Delivery Networks (CDN),\n- analytic scripts like Google-Tag-Manager/Fathom/Matomo/Piwik/Plausible/Umami,\n- embedding external media like from Youtube/Vimeo/Instagram/X,\n- external newsletter sign-up forms from Brevo/Mailchimp/Mailjet/Mailcoach,\n- any other third-party service not hosted on your domain or subdomain or\n- when using inline `\u003cscript\u003e` and/or `\u003cstyle\u003e`.\n\n\u003e [!TIP]\n\u003e The plugin will automatically disable itself on local setups to not get in your way while developing. To test the CSP headers locally, you can use the `'bnomei.securityheaders.enabled' =\u003e true,` option to enforce sending the headers.\n\n## Customizing CSP Headers \u0026 Nonces\n\nYou can customize the CSP headers by providing a custom **Loader** and/or **Setter** via the Kirby config.\n\n### Loader\n\nThe Loader is used to initially create the CSP-Builder object with a given set of mostly static data. You can provide a\npath to a file, return an array or `null` to create blank CSP-Builder object.\n\n\u003e [!TIP]\n\u003e See `\\Bnomei\\SecurityHeaders::LOADER_DEFAULT` for more details.\n\n\u003e [!WARNING]\n\u003e Consider using a custom loader ONLY if you find yourself adding a lot of configurations in the Setter. The default\n\u003e loader is already quite extensive and should cover most use-cases.\n\n### Setter\n\nThe **Setter** is applied after the **Loader**. Use it to add dynamic stuff like rules for external services, hashes and\nnonces.\n\n**/site/config/config.php**\n\n```php\n\u003c?php\nreturn [\n 'bnomei.securityheaders.setter' =\u003e function ($instance) {\n // https://github.com/paragonie/csp-builder\n // #build-a-content-security-policy-programmatically\n /** @var ParagonIE\\CSPBuilder\\CSPBuilder $csp */\n $csp = $instance-\u003ecsp();\n \n // allowing all inline scripts and styles is\n // not recommended, try using nonces instead\n // $csp-\u003esetAllowUnsafeEval('script-src', true);\n // $csp-\u003esetAllowUnsafeInline('script-src', true);\n // $csp-\u003esetAllowUnsafeInline('style-src', true);\n \n // youtube\n $csp-\u003eaddSource('frame', 'https://www.youtube.com');\n $csp-\u003eaddSource('frame', 'https://youtube.com');\n $csp-\u003eaddSource('image', 'https://ggpht.com');\n $csp-\u003eaddSource('image', 'https://youtube.com');\n $csp-\u003eaddSource('image', 'https://ytimg.com');\n $csp-\u003eaddSource('script', 'https://google.com');\n $csp-\u003eaddSource('script', 'https://youtube.com');\n\n // vimeo\n $csp-\u003eaddSource('frame', 'player.vimeo.com');\n $csp-\u003eaddSource('image', 'i.vimeocdn.com');\n $csp-\u003eaddSource('script', 'f.vimeocdn.com');\n $csp-\u003eaddSource('source', 'player.vimeo.com');\n $csp-\u003eaddSource('style', 'f.vimeocdn.com');\n },\n // other options...\n];\n```\n\n\u003e [!TIP]\n\u003e You can define nonces in the `Setter`-option and later retrieved using `$page-\u003enonce(...)` or `$page-\u003enonceAttr(...)`.\n\u003e But the plugin also provides a single nonce for frontend use out of the box.\n\n## Nonces\n\nFor convenience the plugin also provides you with a single\n*frontend nonce* to use as attribute in `\u003clink\u003e`, `\u003cstyle\u003e` and `\u003cscript\u003e` elements. You can retrieve the nonce with\n`site()-\u003enonce()`.\n\n```php\n\u003cscript nonce=\"\u003c?= site()-\u003enonce() ?\u003e\"\u003e\n/* ... */\n\u003c/script\u003e\n```\n\n\u003e [!NOTE]\n\u003e This plugin automatically registers the nonce that Kirby creates for its panel (in case that ever might be needed).\n\n## Disabling the plugin\n\nThe CSP headers will be sent before Kirby renders HTML using a `route:before` hook but the plugin will be automatically\ndisabled if one the following conditions apply:\n\n- Kirby determines it is\n a [local setup](https://github.com/getkirby/kirby/blob/03d6e96aa27f631e5311cb6c2109e1510505cab7/src/Cms/System.php#L190)\n or\n- The plugins setting `bnomei.securityheaders.enabled` is set to `false`.\n\n\u003e [!WARNING]\n\u003e By default, CSP headers are never sent for any Kirby Panel, API and Media routes.\n\n## Settings\n\n| bnomei.securityheaders. | Default | Description | \n|-------------------------|-------------------|-----------------------------------------------------------|\n| enabled | `null/true/false` | will set headers |\n| seed | `callback` | returns a unique seed for frontend nonces on every request |\n| headers | `callback` | array of sensible default values |\n| loader | `callback` | returning filepath or array |\n| setter | `callback` | instance which allows customizing the CSPBuilder |\n\n## Dependencies\n\n- [paragonie/csp-builder](https://github.com/paragonie/csp-builder)\n\n## Disclaimer\n\nThis plugin is provided \"as is\" with no guarantee. Use it at your own risk and always test it yourself before using it\nin a production environment. If you find any issues,\nplease [create a new issue](https://github.com/bnomei/kirby3-security-headers/issues/new).\n\n## License\n\n[MIT](https://opensource.org/licenses/MIT)\n\nIt is discouraged to use this plugin in any project that promotes racism, sexism, homophobia, animal abuse, violence or\nany other form of hate speech.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbnomei%2Fkirby3-security-headers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbnomei%2Fkirby3-security-headers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbnomei%2Fkirby3-security-headers/lists"}