Skip to content
Kirby 3 Plugin for easier Security Headers setup
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
classes
snippets
vendor
.editorconfig
.gitignore
.php_cs.cache
.php_cs.dist
composer.json
composer.lock
index.php
readme.md

readme.md

Kirby 3 Content Security Policy

GitHub release License Kirby Version Kirby 3 Pluginkit

Kirby 3 Plugin for easier Security Headers setup.

🔐 Why should you use this plugin? Because security matters. Protecting your own or your clients websites and their customers data is important.

Commerical Usage

This plugin is free but if you use it in a commercial project please consider to

Installation

  • unzip master.zip as folder site/plugins/kirby3-security-headers or
  • git submodule add https://github.com/bnomei/kirby3-security-headers.git site/plugins/kirby3-security-headers or
  • composer require bnomei/kirby3-security-headers

Dependencies

Automatic Setup

A route:before-hook will take care of setting the headers automatically on all non localhost/webpack setups.

Manual Setup

  • Set bnomei.securityheaders.route.before to false in your config file.
  • Set headers before dumping any other string.
  • Do NOT leave a space between the snippet call and the doctype statement - because reasons.
  • Read the FAQs.
<?php
  snippet('plugin-securityheaders');
?><!DOCTYPE html>
<!-- ... -->

Settings

All settings need to be prefiex with bnomei.securityheaders..

enabled

  • default: true will set headers

enabled.panel

  • default: false will not set headers in panel

route.before

  • default: true will set headers with a route:before-hook

headers

  • default: array of sensible default values. modify as needed.

csp

  • default: null will limit all content to current domain in setting default-src, style-src, script-src, image-src, font-src and connect-src. It will NOT add unsave inline or unsave eval – do use nonces and hashes instead.

nonces

  • default: [] allows you to define plain text strings which will be randomized each page refresh to an unique base64 encoded string and defined in header. Use $page->nonce('plain-string') to retrieve the nonce.

TIP: kirby3-htmlhead nonces are always defined.

hashes

  • default: [] allows you to set valid hash definitions to headers.

Disclaimer

This plugin is provided "as is" with no guarantee. Use it at your own risk and always test it yourself before using it in a production environment. If you find any issues, please create a new issue.

License

MIT

It is discouraged to use this plugin in any project that promotes racism, sexism, homophobia, animal abuse, violence or any other form of hate speech.

You can’t perform that action at this time.