SSL Labs ScoreSecurityHeaders.io Score

The System - Content Security Policy plugin(s) bring this much needed security functionality to Joomla. The fun doesn't stop there - this set of plugins also implements the report-uri feature of the CSP. You can capture your own csp-report via the included AJAX plugin, and have it sent to you nightly using the included CLI script. If you want to browse the data - the AJAX plugin offers a handy report browser. Let's look at all of the features:

  1. Implements all classes of the Content Security Policy standard:
    • Fetch directives
    • Document directives
    • Navigation directives
    • Reporting directives
    • and the eclectic "Other" directives
  2. Injects your settings in a Content-Security-Policy HTTP header
  3. Adds a <meta> tag with your CSP settings
  4. Implements report-uri and report-to
  5. Provides a listener for report-uri and report-to incoming data
  6. Includes a CLI script to be used in a CRON job for nightly reporting to a selected administrator or administrators
  7. Includes a report browser, for immediate review of stored reports
Other headers can be set by this plugin as well:
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection
  • Referrer-Policy
  • Expect-CT
  • Strict-Transport-Security

I really tried to give this plugin every feature I would want, and it's running on this site now!

With very little effort, and in very little time - you can pass the securityheaders.io test with an easy "A".

12

I really love making demo videos for my extensions. Take a peek:

Documentation: Online

Discuss this article in the forums (1 replies).

Paid Extension FAQ

What am I buying?
  • The extension
  • One year of updates
  • Support
Do you still support free versions?
Only bugfixes
Can I install the extension on multiple sites?
Go for it
Can I give a copy to my friend?
While this is ethically wrong, there is no easy way for me to stop it. However, if your friend wants support he should call you - because I won't talk to him unless he purchases the extension.
What happens to the extension at the end of the year?
Nothing. It remains installed and configured, it just stops receiving updates and support is suspended.
What if I give you an idea that you turn into a paid extension?
You'll be given a lifetime subscription for that extension.
What if I contract you to make a custom extension for me?
There are two options, and I may or may not offer both.
  1. You will be given a quote for outright ownership of the extension.
  2. If it's something that I believe will benefit the community, I may offer a reduced quote where I retain ownership along with the promise that it will remain a free extension.