Installation

In your OctoberCMS backend go to "Updates" > "Install plugins" and search for "xeloses.cspmanager" or install from October Marketplace.

Usage

• Open "Settings" in OctoberCMS backend, head to "System" > "CSP Manager".
• Insert trusted domains that your site uses for upload/link images, styles, scripts, etc.
• Select politics you want to use on "Additional" tab.
• Press "Save".

Plugin will send all security headers automatically.

Security

You need to be logged on October backend to configure CSP.

Also, you can give permission to manage CSP settings to your backend users.

Events

Plugin can dispatch events:

• xeloses.csp.fail - fires when plugin unable to send headers.
• xeloses.csp.beforeSend - fires before send headers (only when plugin is able to send headers).
• xeloses.csp.afterSend - fires after CSP headers has been sent.

Issues

Headers must be sent to client before any data. Read more about HTTP headers and their restrictions at www.php.net

If your system sends anything to client before October's event 'cms.page.start' then plugin will not be able to send headers. To solve this problem add to your ".htaccess" file:

<IfModule mod_php7.c>
    php_flag output_buffering On
</IfModule>

or just enable "Output buffering" option in "php.ini" file if you have access to it.