Security headers module for Silverstripe v4. Enable setting of content security policy (CSP).
You should set your own rules in your yml file. Below is just a basic usages example.
The basic usage
DNADesign\SecurityHeaders\SecurityHeadersExtension:
# Add exceptions per page type - Optional
exceptions:
- PageType
headers:
- ...
whitelist:
- ...Add the adequate rules in your local _config/.yml file
# CSP extended e.g
DNADesign\SecurityHeaders\SecurityHeadersExtension:
headers:
Strict-Transport-Security: 'max-age=31536000; includeSubDomains'
X-Frame-Options: 'SAMEORIGIN'
Access-Control-Allow-Origin: 'self'
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: whitelist
whitelist:
default-src:
data:
- '''none'''
script-src:
data:
- '''self'''
- '''unsafe-inline'''
- '''unsafe-eval'''
style-src:
data:
- '''self'''
- '''unsafe-inline'''
font-src:
data:
- '''self'''
img-src:
data:
- '''self'''
- 'data:'
- 'https://www.google.com'
form-action:
data:
- '''self'''
manifest-src:
data:
- '''self'''
frame-src:
data:
- 'https://www.google.com'
frame-ancestors:
data:
- '''self'''
connect-src:
data:
- '''self'''
- 'https://www.google.com'
base-uri:
data:
- '''self'''You can test your CSP rules with CSP Evaluator and Caspr:Enforcer
This module was based on guttmann/silverstripe-security-headers
I am not a security expert - there are no default header rules used in this module, you should do your on research and see if anything from the above example fits your needs.
Please send me a pull request for any issues you spot or improvements that can be made.