https://github.com/born05/craft-csp
Content Security Policy (or CSP) generator using nonces.
https://github.com/born05/craft-csp
content-security-policy craft-plugin craft3 craftcms csp
Last synced: 6 months ago
JSON representation
Content Security Policy (or CSP) generator using nonces.
- Host: GitHub
- URL: https://github.com/born05/craft-csp
- Owner: born05
- License: mit
- Created: 2020-03-16T11:18:04.000Z (over 5 years ago)
- Default Branch: craft4
- Last Pushed: 2024-08-20T11:45:54.000Z (about 1 year ago)
- Last Synced: 2024-09-20T15:38:57.386Z (about 1 year ago)
- Topics: content-security-policy, craft-plugin, craft3, craftcms, csp
- Language: PHP
- Size: 23.4 KB
- Stars: 10
- Watchers: 8
- Forks: 8
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE.md
Awesome Lists containing this project
README
# Content Security Policy plugin for Craft CMS 3.x
Content Security Policy (or CSP) generator using nonces.
Currently does not work in combination with `{% js %}{% endjs %}` block code twig tags.
## Requirements
- Craft 4.0.0 and up
- PHP 8.0.2 and up
## Installation
To install the plugin, search the plugin store for "Content Security Policy" or:
`composer require born05/craft-csp`
## Setting up
Either config using `config/content-security-policy.php` or use nonces:
```twig
{# Regular html #}
{# Twig tags #}
{% css inlineCSS with {nonce: cspNonce('style-src')} %}
{% js 'example.js' with {nonce: cspNonce('script-src')} %}
```
Example `config/content-security-policy.php`:
```php
true,
'reportOnly' => false,
'baseUri' => [
"'none'",
],
'defaultSrc' => [],
'scriptSrc' => [
"'self'",
],
'styleSrc' => [
"'self'",
],
'imgSrc' => [
"'self'",
],
'connectSrc' => [],
'fontSrc' => [],
'objectSrc' => [],
'mediaSrc' => [],
'frameSrc' => [],
'sandbox' => [],
'reportUri' => [],
'childSrc' => [],
'formAction' => [],
'frameAncestors' => [],
'pluginTypes' => [],
'reportTo' => [],
'workerSrc' => [],
'manifestSrc' => [],
'navigateTo' => [],
];
```
## Troubleshooting
If using the SEOMatic plugin, nonces added by that plugin will interfer with this plugin's configuration. You can disable this feature at `/admin/seomatic/plugin#tags` and re-enable the scripts with the following code:
```twig
{% do seomatic.script.get("googleAnalytics").nonce(cspNonce('script-src')) %}
```
For config options see: [Settings.php](https://github.com/born05/craft-csp/blob/craft4/src/models/Settings.php)
## License
Copyright © [Born05](https://www.born05.com/)
See [license](https://github.com/born05/craft-csp/blob/craft4/LICENSE.md)