CSP for Craft CMS 4/5

Content Security Policy manager for Craft CMS.

Requirements

This plugin requires Craft CMS 4.0.0 or later.

Installation

composer require cloudgrayau/csp

CSP Overview

CSP is a Content Security Policy and HTTP Header Response manager for Craft CMS.

SEOmatic Compatibility

This plugin is 100% compatible with any nonces generated by the Automatic Render Enabled setting inside SEOmatic Plugin Settings (General). To ensure compatibility, please set the Nonces for <script> tags to Response Headers inside the SEOmatic Plugin Settings (Tags).

Please note; any script-src CSP tags set within SEOmatic will also be applied. The Content-Security-Policy HTTP Response Header applied by SEOMatic is automatically overridden and/or removed.

Blitz Compatibility

To ensure the Content Security Policy remains compatible with Blitz Caching enabled, please ensure the CSP Mode is set to Meta Tags inside the CSP Settings (Settings).

Setup

The plugin can be configured via the Craft CMS Settings or by using the supplied config/csp.php file. Additional nonces can be configured in your templates as follows:

{# HTML #}
<script src="url/of/script.js" nonce="{{ csp('script-src') }}"></script>
<link href="url/of/style.css" rel="stylesheet" nonce="{{ csp('style-src') }}" />

{# CSS Twig tags #}
{% do view.registerCssFile(url('scss/styles.scss'), { nonce: csp('style-src') }) %}
{% do view.registerCss('<body>background:red;</body>', { nonce: csp('style-src') }) %}

{# JS Twig tags #}
{% do view.registerJsFile(url('js/site.js'), { nonce: csp('script-src') }) %}

Overriding Config

The CSP configuration can be updated in realtime via your templates with twig. This can be useful, for example to disable the CSP on XHR requests.

{% do craft.csp.config({'cspEnabled': false}) %}

Brought to you by Cloud Gray Pty Ltd