firesphere / cspheaders
Setup CSP Headers for a website
Requires
- php: ^8.1
- ext-simplexml: *
- guzzlehttp/guzzle: >=6
- paragonie/csp-builder: ^3.0.0
- silverstripe/admin: ^1|^2
- silverstripe/framework: ^4|^5
- symfony/yaml: >=4
Requires (Dev)
Suggests
This package is auto-updated.
Last update: 2024-11-11 09:30:09 UTC
README
License
Code status
Adds CSP headers to your request, based on configuration in a yml file.
Setting up a report-uri account is free and easy
Disclaimer
If this module breaks your website, you get to keep all the pieces.
Requirements
SilverStripe Framework 4.x+ PHP 8.0+
Installation
composer require firesphere/cspheaders
Configuration and usage
WARNING
When using this module and have CSS hashes or nonces enabled, any inline styles declared on HTML Elements themselves will not work anymore.
To enable or disable inline javascripts or css, set the appropriate flag (allow-inline) in your yml config.
Same goes for javascripts. Javascripts specifically should live either in a separate file, or be added using Requirementns::customScripts()
Default for css is therefore false, javascript however defaults to true for security reasons.
CDN Providers
When using Incapsula or Imperva (and potentially other CDN providers), your CSS and JavaScripts may be altered by the CDN, and therefore never compute correctly.
The only solution is to disable the SRI's for css and javascript on these providers.
.htaccess
Any header set in the .htaccess, Apache site.conf or nginx.conf files will override the headers
set by this module.
Did you read this entire readme? You rock!
Pictured below is a cow, just for you.
/( ,,,,, )\
_\,;;;;;;;,/_
.-"; ;;;;;;;;; ;"-.
'.__/`_ / \ _`\__.'
| (')| |(') |
| .--' '--. |
|/ o o \|
| |
/ \ _..=.._ / \
/:. '._____.' \
;::' / \ .;
| _|_ _|_ ::|
.-| '==o==' '|-.
/ | . / \ | \
| | ::| | | .|
| ( ') (. )::|
|: | |; U U ;|:: | `|
|' | | \ U U / |' | |
##V| |_/`"""`\_| |V##
##V## ##V##