Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
This module provides the ability to:
Once a CSP is in place and working, any assets loads that do not meet policy requirements will be blocked from loading, with warnings similar to this in the browser dev console:
Refused to load the script 'https://badactor.example.com/eval.js' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-example' https://cdnjs.cloudflare.com/".
This is the Silverstripe 4.x version of the module, with releases tagged as v0.2 and up
The Silverstripe 3.x version with releases tagged as v0.1. While none are planned, any future releases of the ss3
branch will remain at 0.1.x
The only supported method of installing this module is via composer:
composer require nswdpc/silverstripe-csp
â ï¸ An incorrectly implemented CSP can have negative effects for valid visitors to your website.
When you are pleased with the settings, check the "Use on published website" setting and save.
After UAT is complete, implement the same process on your production website. You should run the policy as report-only and monitor reports, initially.
By default Pages can define an extra Policy for delivery when requested with the following caveat:
Adding additional policies can only further restrict the capabilities of the protected resource
MDN provides some useful information on this process:
This means that you can't (currently) relax the base policy restrictions from within your page policy.
See using a nonce
See good-to-know
See reporting
Refer to the following for changes between levels:
See further reading
See browser support
We welcome bug reports, pull requests and feature requests on the Github Issue tracker for this project.
Please review the code of conduct prior to opening a new issue.
If you have found a security issue with this module, please email digital[@]dpc.nsw.gov.au in the first instance, detailing your findings.
If you would like to make contributions to the module please ensure you raise a pull request and discuss with the module maintainers.
Please review the code of conduct prior to completing a pull request.
Module rating system helping users find modules that are well supported. For more on how the rating system works visit Module standards
Score not correct? Let us know there is a problem