Content Security Policy manager for Craft CMS.

This plugin requires Craft CMS 4.0.0 or later.

composer require cloudgrayau/csp

CSP is a Content Security Policy and HTTP Header Response manager for Craft CMS.

This plugin is 100% compatible with any nonces generated by the Automatic Render Enabled setting inside SEOmatic Plugin Settings (General). To ensure compatibility, please set the Nonces for <script> tags to Response Headers inside the SEOmatic Plugin Settings (Tags).

Please note; any script-src CSP tags set within SEOmatic will also be applied. The Content-Security-Policy HTTP Response Header applied by SEOMatic is automatically overridden and/or removed.

To ensure the Content Security Policy remains compatible with Blitz Caching enabled, please ensure the CSP Mode is set to Meta Tags inside the CSP Settings (Settings).

The plugin can be configured via the Craft CMS Settings or by using the supplied config/csp.php file. Additional nonces can be configured in your templates as follows:

{# HTML #}
<script src="url/of/script.js" nonce="{{ csp('script-src') }}"></script>
<link href="url/of/style.css" rel="stylesheet" nonce="{{ csp('style-src') }}" />

{# CSS Twig tags #}
{% do view.registerCssFile(url('scss/styles.scss'), { nonce: csp('style-src') }) %}
{% do view.registerCss('<body>background:red;</body>', { nonce: csp('style-src') }) %}

{# JS Twig tags #}
{% do view.registerJsFile(url('js/site.js'), { nonce: csp('script-src') }) %}

The CSP configuration can be updated in realtime via your templates with twig. This can be useful, for example to disable the CSP on XHR requests.

{% do craft.csp.config({'cspEnabled': false}) %}

Brought to you by Cloud Gray Pty Ltd