This module provides the ability to:
This is the Silverstripe 4.x version of the module, with releases tagged as v0.2 and up
The Silverstripe 3.x version with releases tagged as v0.1 - any future versions will remain at 0.1.x
A good set of settings to start out with is:
When you are pleased with the settings, check the "Use on published website" setting and save.
By default Pages can define a specific Policy for delivery when requested.
If one is selected on the Settings tab of a page in the site tree, it is merged into the base policy (if it exists) or is used as the policy for that request.
Adding additional policies can only further restrict the capabilities of the protected resource
This means that you can't relax the base policy restrictions from within your page policy.
The Silverstripe Admin requires the CSP directive
script-src. It's wise to not allow unsafe-eval in a policy - but if this is not set in a policy, the admin will not load.
To avoid getting locked out of the admin, set the
run_in_admin config value to
false - note that this will stop the policy from being delivered in any controller that is a child of
The configuration value
run_in_admin is shipped as false by default.
You can whitelist certain controllers in module config. This will block the policy from being delivered in those controllers.
Override module configuration in your project configuration.
You can choose to deliver the CSP via meta tags.
Choosing this option will cause certain features to be unavailable
report-todirectives are not supported in meta tags and will not be present
Content-Security-Policy-Report-Onlyheader is not supported, currently.
The only way to received policy violation reports is via HTTP Header delivery method.
You can receive violation reports when they occur.
The module provides its own endpoint for receiving violation reports - be aware that enabling the local reporting endpoint could cause load issues on higher traffic websites.
Refer to the following for changes between levels
The following developer documention URLs provide a wealth of information regarding CSP and web browser support:
Report bugs to the Github issues list
Module rating system helping users find modules that are well supported. For more on how the rating system works visit Module standards
Score not correct? Let us know there is a problem