Discuss this article in the forums (0 replies).
The System - Content Security Policy plugin(s) bring this much needed security functionality to Joomla. The fun doesn't stop there - this set of plugins also implements the report-uri feature of the CSP. You can capture your own csp-report via the included AJAX plugin, and have it sent to you nightly using the included CLI script. If you want to browse the data - the AJAX plugin offers a handy report browser. I really tried to give this plugin every feature I would want, and it's running on this site now!
With very little effort, and in very little time - you can pass the securityheaders.io test with an easy "A".
- Implements all classes of the Content Security Policy standard
- Fetch directives
- Document directives
- Navigation directives
- Reporting directives
- "Other" directives
- Injects your settings in a Content-Security-Policy HTTP header
- (optionally) Adds a tag with your CSP settings
- Implements report-uri and report-to
- Provides a listener for report-uri and report-to incoming data
- Includes a CLI script to be used in a CRON job for nightly reporting to a selected administrator or administrators
- Includes a report browser, for immediate review of stored reports
- Sets X-Content-Type-Options
- Sets X-Frame-Options
- Sets X-XSS-Protection
- Sets Referrer-Policy
- Sets Expect-CT
- Sets Strict-Transport-Security
- Sets Feature-Policy
Ready to buy?
Documentation and Help
System - Content Security Policy in the wild