{"id":19591940,"url":"https://github.com/catalyst/moodle-local_csp","last_synced_at":"2025-04-27T14:33:33.019Z","repository":{"id":14075193,"uuid":"75778624","full_name":"catalyst/moodle-local_csp","owner":"catalyst","description":"Content security policy reporting and enforcing tool for Moodle","archived":false,"fork":false,"pushed_at":"2025-03-24T22:05:18.000Z","size":176,"stargazers_count":13,"open_issues_count":16,"forks_count":8,"subscribers_count":35,"default_branch":"MOODLE_401_STABLE","last_synced_at":"2025-04-05T00:41:24.139Z","etag":null,"topics":["content-security-policy","csp-report","moodle"],"latest_commit_sha":null,"homepage":"https://moodle.org/plugins/local_csp","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/catalyst.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-12-06T22:51:54.000Z","updated_at":"2025-03-24T22:05:21.000Z","dependencies_parsed_at":"2024-05-22T06:39:58.948Z","dependency_job_id":"95fd1ebf-22a4-46de-a31d-4af6c67109ca","html_url":"https://github.com/catalyst/moodle-local_csp","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catalyst%2Fmoodle-local_csp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catalyst%2Fmoodle-local_csp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catalyst%2Fmoodle-local_csp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/catalyst%2Fmoodle-local_csp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/catalyst","download_url":"https://codeload.github.com/catalyst/moodle-local_csp/tar.gz/refs/heads/MOODLE_401_STABLE","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251154647,"owners_count":21544534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["content-security-policy","csp-report","moodle"],"created_at":"2024-11-11T08:32:06.605Z","updated_at":"2025-04-27T14:33:33.012Z","avatar_url":"https://github.com/catalyst.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![ci](https://github.com/catalyst/moodle-local_csp/actions/workflows/ci.yml/badge.svg?branch=MOODLE_401_STABLE)](https://github.com/catalyst/moodle-local_csp/actions/workflows/ci.yml?branch=MOODLE_401_STABLE)\n\n# moodle-local_csp\n\n* [Why would you want this?](#why-would-you-want-this)\n* [What is this?](#what-is-this)\n* [How does it work?](#how-does-it-work)\n* [Branches](#branches)\n* [Performance impact](#performance-impact)\n* [Installation](#installation)\n* [References](#references)\n\nWhy would you want this?\n------------------------\nSecurity, security, security.\n\nThis plugin helps you to detect and mitigate certain classes of security errors in your Moodle such as:\n\n - Mixed content (https/http) after you switched to HTTPS.\n - Same origin (or specified origin) policy for scripts and media data.\n - Unintended iframes\n\nWhat is this?\n-------------\nThis plugin allows you to easily test and rollout [Custom Security Policy headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) across your moodle.\n\nExamples: \n - Report/enforce SSL origin for links, images etc.\n - Report/enforce same-origin for links, images etc.\n\nHow does it work?\n-----------------\n\nSite admin configures CSP headers: `Content-Security-Policy` or `Content-Security-Policy-Report-Only` in the plugin settings.\nHeader Content-Security-Policy-Report-Only is for recording CSP violations in Moodle and reviewing them later from the plugin's report page.\n\nEnabling of Content-Security-Policy blocks browser from showing site resources that violate defined rules.\n\nCSP support in browsers is quite good:\n\nhttps://caniuse.com/#search=CSP\n\nTo get started visit this admin settings page and enter a basic policy into csp_header_reporting and enable it with csp_header_enable.\n\n/admin/settings.php?section=local_csp_settings\n\nThen you will need to wait for a couple days or a week to collect statistics on what pages are violating that policy.\nYou can see all the violations here:\n\n/local/csp/csp_report.php\n\nAs you discover violations you need to make the business decision of which domains should be allowed and either amend the CSP policy, or change the learning content so they do not violate the policy.\n\nEach time you change the policy you can reset the statistics, either partially for each directives or fully.\nWhen you gain confidence in your policy you can convert it from a 'reporting only' policy to a real policy that is enforced.\n\nBe aware that if you prematurely set a policy which is too strict you can break your learning content and even completely break Moodle itself.\n\n\nBranches\n--------\n\n| Moodle verion     | Branch                | PHP       |\n| ----------------- | --------------------- | --------  |\n| Moodle 4.1+       | MOODLE_401_STABLE     | 7.4       |\n| Moodle 3.3 to 4.0 | master                | 7.2       |\n| Moodle 2.7        | MOODLE_27_STABLE      | 5.5       |\n\nPerformance impact\n------------------\n\nWhile this plugin is relatively lightweight, if you have a reporting policy in place which has a large\nnumber of violations then each of those violations will be reported to the collector endpoint which adds load to your server.\n\nIt is recommended to try and fix policy issues as they are identified in the summary reports, or white list the content so it is no longer reported on.\n\n\nInstallation\n------------\nCheckout or download the plugin source code into folder `local\\csp` of your Moodle installation.\n\n```sh\ngit clone git@github.com:catalyst/moodle-local_csp.git local\\csp\n```\nor\n```sh\nwget https://github.com/catalyst/moodle-local_csp/archive/master.zip\nmkdir -p local/csp\nunzip master.zip -d local/csp\n```\nThen go to your Moodle admin interface and complete installation and configuration.\nExample policy 'default-src https:;' will be reporting or enforcing the links to be HTTPS-only. Please note, the whole moodle website should be accessible via HTTPS for this to work.\n\nFor more examples of other CSP directives please read [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).\n\nReferences\n----------\n\nSee also:\n\nConvert http embedded content to https on https sites where available\nhttps://tracker.moodle.org/browse/MDL-46269\n\nA complementary plugin which works by searching the moodle DB for bad links:\nhttps://github.com/moodlerooms/moodle-tool_httpsreplace\n\n\nThis plugin was developed by Catalyst IT Australia:\nhttps://www.catalyst-au.net/\n\n\u003cimg alt=\"Catalyst IT\" src=\"https://cdn.rawgit.com/CatalystIT-AU/moodle-auth_saml2/master/pix/catalyst-logo.svg\" width=\"400\"\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcatalyst%2Fmoodle-local_csp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcatalyst%2Fmoodle-local_csp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcatalyst%2Fmoodle-local_csp/lists"}