This plugin adds CSP (Content Security Police) headers to each frontend page and allows to configure CSP and other security headers from OctoberCMS backend.
What is CSP?
CSP - "Content Security Policy" - is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
Read more about CSP at developer.mozilla.org.
- Manage trusted domains for CSP.
- Enable/disable "inline" and "eval" availability for CSS and JS.
- Manage "Referrer policy".
- Enable/disable XSS protection header.
- Enable/disable content-type sniffing protection.
- Enable/disable strict transport security.
In your OctoberCMS backend go to "Updates" > "Install plugins" and search for "xeloses.cspmanager" or install from October Marketplace.
- Open "Settings" in OctoberCMS backend, head to "System" > "CSP Manager".
- Insert trusted domains that your site uses for upload/link images, styles, scripts, etc.
- Select politics you want to use on "Additional" tab.
- Press "Save".
Plugin will send all security headers automatically.
You need to be logged on October backend to configure CSP.
Also, you can give permission to manage CSP settings to your backend users.
Plugin can dispatch events:
xeloses.csp.fail- fires when plugin unable to send headers.
xeloses.csp.beforeSend- fires before send headers (only when plugin is able to send headers).
xeloses.csp.afterSend- fires after CSP headers has been sent.
Headers must be sent to client before any data. Read more about HTTP headers and their restrictions at www.php.net
If your system sends anything to client before October's event
'cms.page.start' then plugin will not be able to send headers.
To solve this problem add to your ".htaccess" file:
<IfModule mod_php7.c> php_flag output_buffering On </IfModule>
or just enable "Output buffering" option in "php.ini" file if you have access to it.
This plugin has not been reviewed yet.
Added settings page.
Sep 06, 2019
Sep 06, 2019