Product support

Get help in the plugin support forum.

  • Added on Sep 9, 2019
  • Current version: 1.0.2
  • Platform Compatibility
    v3.x use latest
    v2.x use latest
    v1.x use latest
  • License: Regular / Extended
  • Created by


This plugin adds CSP (Content Security Police) headers to each frontend page and allows to configure CSP and other security headers from OctoberCMS backend.

What is CSP?

CSP - "Content Security Policy" - is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

Read more about CSP at developer.mozilla.org.


  • Manage trusted domains for CSP.
  • Enable/disable "inline" and "eval" availability for CSS and JS.
  • Manage "Referrer policy".
  • Enable/disable XSS protection header.
  • Enable/disable content-type sniffing protection.
  • Enable/disable strict transport security.


  • English
  • Russian
Configure CSP: trusted sources of CSS styles


In your OctoberCMS backend go to "Updates" > "Install plugins" and search for "xeloses.cspmanager" or install from October Marketplace.


  • Open "Settings" in OctoberCMS backend, head to "System" > "CSP Manager".
  • Insert trusted domains that your site uses for upload/link images, styles, scripts, etc.
  • Select politics you want to use on "Additional" tab.
  • Press "Save".

Plugin will send all security headers automatically.


You need to be logged on October backend to configure CSP.

Also, you can give permission to manage CSP settings to your backend users.


Plugin can dispatch events:

  • xeloses.csp.fail - fires when plugin unable to send headers.
  • xeloses.csp.beforeSend - fires before send headers (only when plugin is able to send headers).
  • xeloses.csp.afterSend - fires after CSP headers has been sent.


Headers must be sent to client before any data. Read more about HTTP headers and their restrictions at www.php.net

If your system sends anything to client before October's event 'cms.page.start' then plugin will not be able to send headers. To solve this problem add to your ".htaccess" file:

<IfModule mod_php7.c>
    php_flag output_buffering On

or just enable "Output buffering" option in "php.ini" file if you have access to it.


Added settings page.

Sep 06, 2019


Initialize plugin.

Sep 06, 2019