bnomei / kirby3-security-headers
Kirby Plugin for easier Security Headers setup
Installs: 4 582
Dependents: 0
Suggesters: 6
Security: 0
Stars: 26
Watchers: 2
Forks: 2
Open Issues: 7
Type:kirby-plugin
Requires
- php: >=8.1.0
- getkirby/composer-installer: ^1.2
- paragonie/csp-builder: ^2.5
Requires (Dev)
- getkirby/cms: ^4.0
- php-coveralls/php-coveralls: ^2.1
- phpunit/phpunit: ^9.5
Suggests
- bnomei/kirby3-doctor: Add a panel button to check health and security of your Kirby installation
- dev-master
- 4.0.0
- 2.5.5
- 2.5.4
- 2.5.3
- 2.5.2
- 2.5.1
- 2.5.0
- 2.4.2
- 2.4.1
- 2.4.0
- 2.3.2
- 2.3.1
- 2.3.0
- 2.2.5
- 2.2.4
- 2.2.3
- 2.2.2
- 2.2.1
- 2.2.0
- 2.1.0
- 2.0.3
- 2.0.2
- 2.0.1
- 2.0.0
- 1.1.3
- 1.1.2
- 1.1.1
- 1.0.4
- 1.0.3
- 1.0.2
- 1.0.1
- 1.0.0
- 0.6.1
- 0.6.0
- 0.5.7
- 0.5.6
- 0.5.5
- 0.5.4
- 0.5.3
- 0.5.2
- 0.5.1
- 0.5.0
- dev-dependabot/composer/getkirby/cms-3.6.6.2
- dev-dependabot/composer/guzzlehttp/guzzle-7.7.0
- dev-dependabot/composer/guzzlehttp/psr7-2.5.0
This package is auto-updated.
Last update: 2024-11-23 16:21:46 UTC
README
Kirby Plugin for easier Security Headers setup.
🔐 Why should you use this plugin? Because security matters. Protecting your own or your clients websites and their customers data is important.
Installation
- unzip master.zip as folder
site/plugins/kirby3-security-headers
or git submodule add https://github.com/bnomei/kirby3-security-headers.git site/plugins/kirby3-security-headers
orcomposer require bnomei/kirby3-security-headers
Setup
Automatic
A route:before
-hook takes care of setting the headers automatically unless one of the following conditions applies:
- Kirbys global debug mode is
true
- Kirby determins it is a local setup
- the plugins setting
enabled
is set tofalse
Header
The following headers will be applied by default, you do not need to set them explicitly. You can override them in the config file.
/site/config/config.php
<?php return [ 'bnomei.securityheaders.headers' => [ "X-Powered-By" => "", // unset "X-Frame-Options" => "SAMEORIGIN", "X-XSS-Protection" => "1; mode=block", "X-Content-Type-Options" => "nosniff", "strict-transport-security" => "max-age=31536000; includeSubdomains", "Referrer-Policy" => "no-referrer-when-downgrade", "Permissions-Policy" => 'interest-cohort=()', // flock-off, // ... FEATURE POLICIES // other options... ];
Loader
The Loader is used to initally create the CSPBuilder object with a given set of data. You skip that, forward a file to load, provide an array or use the default loader file. Using a custom file is recommended when for example adding additional font-src for google web fonts.
/site/config/config.php
<?php return [ 'bnomei.securityheaders.loader' => function () { // https://github.com/paragonie/csp-builder#example // null if you do NOT want to use default and/or just the setter /* return null; */ // return path of file (json or yaml) // or an array of options for the cspbuilder /* return [...]; return kirby()->roots()->site() . '/your-csp.json'; return kirby()->roots()->site() . '/your-csp.yml'; */ // otherwise forward the default file from this plugin return __DIR__ . '/loader.json'; }, // other options... ];
Setter
The Setter is applied after the Loader. Use it to add dynamic stuff like hashes and nonces.
/site/config/config.php
<?php return [ 'bnomei.securityheaders.setter' => function (\Bnomei\SecurityHeaders $instance) { // https://github.com/paragonie/csp-builder#build-a-content-security-policy-programmatically /** @var ParagonIE\CSPBuilder\CSPBuilder $csp */ /* $csp = $instance->csp(); $nonce = $instance->setNonce('my-inline-script'); $csp->nonce('script-src', $nonce); */ // in your template retrieve it again with /* $nonce = $page->nonce('my-inline-script'); => `THIS-IS-THE-NONCE` $attr = $page->nonceAttr('my-inline-script'); => `nonce="THIS-IS-THE-NONCE"` */ }, // other options... ];
TIP: nonces are set in the
setter
and later retrieved using$page->nonce(...)
or$page->nonceAttr(...)
.
Panel and Frontend Nonces
This plugin automatically registers Kirbys nonce for the panel. For convenience it also provides you with a single frontend nonce to use as attribute in <link>
, <style>
and <script>
elements. You can retrieve the nonce with site()->nonce()
and the full attribute with site()->nonceAttr()
.
<?php ?> <script nonce="<?= site()->nonce() ?>"> // ... </script> <style <?= site()->nonceAttr() ?>> </style>
TIP: The srcset plugin uses that frontend nonce as well.
Settings
Dependencies
Disclaimer
This plugin is provided "as is" with no guarantee. Use it at your own risk and always test it yourself before using it in a production environment. If you find any issues, please create a new issue.
License
It is discouraged to use this plugin in any project that promotes racism, sexism, homophobia, animal abuse, violence or any other form of hate speech.