https://github.com/basecom/magento2-csp-split-header

Magento 2 module that solves the problem of oversized CSP headers by splitting them into multiple headers. It extends Magento's CSP Simple Policy Renderer to replace the existing CSP headers, ensuring they remain valid and reducing the likelihood of exceeding the web server's maximum header size.
https://github.com/basecom/magento2-csp-split-header

magento magento2 magento2-extension magento2-extension-free magento2-module magento2-plugin

Last synced: about 1 month ago
JSON representation

Magento 2 module that solves the problem of oversized CSP headers by splitting them into multiple headers. It extends Magento's CSP Simple Policy Renderer to replace the existing CSP headers, ensuring they remain valid and reducing the likelihood of exceeding the web server's maximum header size.

• Host: GitHub
• URL: https://github.com/basecom/magento2-csp-split-header
• Owner: basecom
• License: mit
• Created: 2024-08-01T14:22:08.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2025-03-24T12:28:21.000Z (11 months ago)
• Last Synced: 2025-09-27T01:44:30.444Z (5 months ago)
• Topics: magento, magento2, magento2-extension, magento2-extension-free, magento2-module, magento2-plugin
• Language: PHP
• Homepage: https://basecom.de
• Size: 29.3 KB
• Stars: 45
• Watchers: 3
• Forks: 3
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Basecom_CspSplitHeader Magento 2 Module



[![Packagist][ico-version]][link-packagist]

[![Software License][ico-license]](LICENSE)

![Supported Magento Versions][ico-compatibility]



---

> [!IMPORTANT]  

> As of Magento 2.4.7 it is no longer possible to deactivate the Magento CSP module.

With a growing _Content Security Policies_ (CSP) whitelist, the problem can arise that the

headers `Content-Security-Policy-Report-Only` and/or `Content-Security-Policy` become so large that they exceed the

maximum permitted size of a header field, causing the web server to not process the response any further.

The CSP mechanism allows multiple policies to be specified for a resource, including via the `Content-Security-Policy`

header, the `Content-Security-Policy-Report-Only` header and a `meta`

element [[MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#multiple_content_security_policies)].

__Therefore, the headers can be specified more than once.__

This is where the module comes into play. It implements an _after method plugin_ for the

method `Magento\Csp\Model\Policy\Renderer\SimplePolicyHeaderRenderer::render`, which replaces the existing CSP headers

via the method `\Magento\Framework\App\Response\HttpInterface::setHeader`. The header is read, split so that the syntax

remains valid, and replaced by the new headers. The result is a separate header for each directive, each of which should

no longer exceed the maximum permitted length of the web server.

> [!TIP]

> If the headers are too large even after splitting, try to identify unnecessary Magento modules and remove them.

## Installation

1. Install it into your Magento 2 project with composer:

    ```console

    composer require basecom/magento2-csp-split-header

    ```

2. Enable module

    ```console

    bin/magento setup:upgrade

    ```

## Configuration

| Config                                                      | Default Value  | Description                                                |

|-------------------------------------------------------------|----------------|------------------------------------------------------------|

| `basecom_csp_split_header/settings/header_splitting_enable` | 0 _(disabled)_ | enables (1) / disables (0) the splitting of the CSP header |

| `basecom_csp_split_header/settings/max_header_size`         | 8000           | maximum allowed header field size                          |

These values can be updated in the system configuration under `Basecom -> Content Security Policy -> Enable`.

## Example

1. CSP splitting _disabled_

    ```HTTP

    Content-Security-Policy: default-src 'self' https://example.com; connect-src 'none'; script-src https://example.com/;                          

    ```

2. CSP splitting _enabled_

    ```HTTP

    Content-Security-Policy: default-src 'self' https://example.com; 

    Content-Security-Policy: connect-src 'none'; 

    Content-Security-Policy: script-src https://example.com/;                          

    ```

## Known Issues

### CSP header is not split correctly ([#5](https://github.com/basecom/magento2-csp-split-header/issues/5))

Lower the maximum allowed header field size threshold in the config `basecom_csp_split_header/settings/max_header_size`.

### Varnish 503 error ([#7](https://github.com/basecom/magento2-csp-split-header/issues/7))

Increase the Varnish header size`http_resp_hdr_len`. The default value is 8kb.

## Contributing

Please see [CONTRIBUTING](CONTRIBUTING.md) for details.

## Security

If you discover any security related issues, please email  instead of using the issue tracker.

## License

The MIT License (MIT). Please see [License File](LICENSE) for more information.

## Copyright

© 2024 basecom GmbH & Co. KG

[ico-version]: https://img.shields.io/packagist/v/basecom/magento2-csp-split-header.svg?style=flat-square

[ico-license]: https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square

[ico-compatibility]: https://img.shields.io/badge/magento-2.4-brightgreen.svg?logo=magento&longCache=true&style=flat-square

[link-packagist]: https://packagist.org/packages/basecom/magento2-csp-split-header