{"id":18525552,"url":"https://github.com/zero-24/plg_system_httpheader","last_synced_at":"2025-04-09T12:31:17.242Z","repository":{"id":45903760,"uuid":"105373271","full_name":"zero-24/plg_system_httpheader","owner":"zero-24","description":"This is a Joomla Plugin that provides setting of HTTP Headers","archived":false,"fork":false,"pushed_at":"2024-12-22T16:08:56.000Z","size":553,"stargazers_count":22,"open_issues_count":0,"forks_count":7,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-24T05:34:58.982Z","etag":null,"topics":["csp","http-header","joomla","joomla-plugin"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zero-24.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-09-30T13:54:53.000Z","updated_at":"2025-03-12T13:37:06.000Z","dependencies_parsed_at":"2023-01-24T23:15:54.330Z","dependency_job_id":"7c181629-ccef-4c49-91d9-bd876a83c430","html_url":"https://github.com/zero-24/plg_system_httpheader","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zero-24%2Fplg_system_httpheader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zero-24%2Fplg_system_httpheader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zero-24%2Fplg_system_httpheader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zero-24%2Fplg_system_httpheader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zero-24","download_url":"https://codeload.github.com/zero-24/plg_system_httpheader/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248040226,"owners_count":21037834,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csp","http-header","joomla","joomla-plugin"],"created_at":"2024-11-06T17:46:18.602Z","updated_at":"2025-04-09T12:31:12.230Z","avatar_url":"https://github.com/zero-24.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HttpHeader Plugin\n\nThis Joomla Plugin implements an UI Layer for the HTTP Security headers so everyone can set and configure them from the backend.\n\n## Features\n\nThis Joomla Plugin helps you to set the following HTTP Security Headers.\n- [Strict-Transport-Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)\n- [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)\n- [Content-Security-Policy-Report-Only](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Testing_your_policy)\n- [X-Frame-Options](https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options)\n- [X-XSS-Protection](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)\n- [X-Content-Type-Options](https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Content-Type-Options)\n- [Referrer-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)\n- [Expect-CT](https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Expect-CT)\n- [Feature-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)\n- [Permissions-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)\n\nThis plugin also comes with some easy defaults for:\n- X-Frame-Options\n- X-XSS-Protection\n- X-Content-Type-Options\n- Referrer-Policy\n\n**Note**: If you have configured some HTTP Security Headers **directly on the server**, then this Plugin might create double entries.\n\nCheck the output of your HTTP headers after configuring this HTTP Security Headers Plugin. In Google Chrome: Inspect \u003e Network \u003e the output under Headers).\nIn this Plugin you can disable the settings that cause double entries. Also check the Console of your browser for possible errors.\n\n## Configuration\n\n### Initial setup the plugin\n\n- [Download the latest version of the plugin](https://github.com/zero-24/plg_system_httpheader/releases/latest)\n- Install the plugin using `Upload \u0026 Install`\n- Enable the plugin `System - HttpHeader` form the plugin manager\n\nNow the inital setup is completed and you can start configure the headers.\n\n### Default Headers\n\nPlease note that by default the following headers und values are set:\n```\nX-Frame-Options: SAMEORIGIN\n```\nMore Infos: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options\n```\nX-XSS-Protection: 1; mode=block\n```\nMore Infos: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection\n```\nX-Content-Type-Options: nosniff\n```\nMore Infos: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options\n```\nReferrer-Policy: no-referrer-when-downgrade\n```\nMore Infos: https://scotthelme.co.uk/a-new-security-header-referrer-policy/\n\nYou can allways choose to disable or change the value for one of those by changing the plugin configuration.\n\n### Option descriptions\n\n#### Force HTTP Header\n\nUsing this you can set different values from the default ones and also force headers. The supported headers are:\n- Strict-Transport-Security\n- Content-Security-Policy\n- Content-Security-Policy-Report-Only\n- X-Frame-Options\n- X-XSS-Protection\n- X-Content-Type-Options\n- Referrer-Policy\n- Expect-CT\n- Feature-Policy\n- Cross-Origin-Opener-Policy\n- Permissions-Policy\n- Report-To\n- NEL\n\nHere you can also decide whether the header is applyed only to the frontend and or only the backed or both sites.\n\n#### HTTP Strict Transport Security (HSTS)\n\nThis option activates 'Strict Transport Security' and allows the configuration of the value of that header including `Include subdomains`, `Maximum registration time (max-age)` and `Preload`.\n\nHSTS means that your domain can no longer be called without HTTPS. Once added to the preload list, this is **not easy to undo**. Domains can be removed, but it takes months for users to make a change with a browser update. This option is very important to prevent ['man-in-the-middle attacks'](https://en.wikipedia.org/wiki/Man-in-the-middle_attack), so it should be activated in any case, but only if you are sure that HTTPS is fully supported for the domain and all subdomains in the long run! The value for 'maximum registration time' must be set to 63072000 (2 years) for recording.\n\n#### Content Security Policy (CSP)\n\nWith this option the `Content-Security-Policy` rule can be set individually including an dedicated subform for the the different directives as well as setting the rules in `Report-Only` mode.\n\n## Update Server\n\nPlease note that my update server only supports the latest version running the latest version of Joomla and atleast PHP 7.0.\nAny other plugin version I may have added to the download section don't get updates using the update server.\n\n## Issues / Pull Requests\n\nYou have found an Issue, have a question or you would like to suggest changes regarding this extension?\n[Open an issue in this repo](https://github.com/zero-24/plg_system_httpheader/issues/new) or submit a pull request with the proposed changes.\n\n## Translations\n\nYou want to translate this extension to your own language? Check out my [Crowdin Page for my Extensions](https://joomla.crowdin.com/zero-24) for more details. Feel free to [open an issue here](https://github.com/zero-24/plg_system_httpheader/issues/new) on any question that comes up.\n\nThis plugin is translated into the following languages:\n- de-DE by @zero-24\n- en-GB by @zero-24 \u0026 @brianteeman\n- fr-FR by @Sandra97 \u0026 @YGomiero\n- it-IT by @jeckodevelopment\n- nl-NL by @pe7er\n\n## Beyond this repo\n\nThis plugin has been included in the Joomla Core ([joomla/joomla-cms#18301](https://github.com/joomla/joomla-cms/pull/18301)) and will be part of the upcomming 4.0 Release. Please note that the core the plugin has been renamed to plg_system_httpheaders (extra `s`) and extended by the new com_csp component for to core distribution.\n\n## Special Thanks\n\nDavid Jardin - @snipersister - https://www.djumla.de/ \u0026 Yves Hoppe - @yvesh - https://compojoom.com/\n\nFor giving me the inspiration for the plugin and their feedback on the actual implementation. Thanks :+1:\n\n## Joomla! Extensions Directory (JED)\n\nThis plugin can also been found in the Joomla! Extensions Directory: [HTTPHeader by zero24](https://extensions.joomla.org/extension/httpheader/)\n\n## Release steps\n\n- Update the version within the XMLs\n- `build/build.sh`\n- `git commit -am 'prepare release HttpHeader 1.0.x'`\n- `git tag -s '1.0.x' -m 'HttpHeader 1.0.x'`\n- `git push origin --tags`\n- create the release on GitHub\n- `git push origin master`\n\n## Crowdin\n\n### Upload new strings\n\n`crowdin upload sources`\n\n### Download translations\n\n`crowdin download --skip-untranslated-files --ignore-match`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzero-24%2Fplg_system_httpheader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzero-24%2Fplg_system_httpheader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzero-24%2Fplg_system_httpheader/lists"}