Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Kirby 3 Content Security Policy Header

Release Downloads Build Status Coverage Status Maintainability

Kirby 3 Plugin for easier Security Headers setup.

🔐 Why should you use this plugin? Because security matters. Protecting your own or your clients websites and their customers data is important.

  1. Automatic Setup
  2. Setup: Headers
  3. Setup: Loader
  4. Setup: Setter
  5. Frontend Nonce
  6. Settings

Commerical Usage

This plugin is free but if you use it in a commercial project please consider to


  • unzip as folder site/plugins/kirby3-security-headers or
  • git submodule add site/plugins/kirby3-security-headers or
  • composer require bnomei/kirby3-security-headers



A route:before-hook takes care of setting the headers automatically unless one of the following conditions applies:

  • Kirbys global debug mode is true
  • Kirby determins it is a local setup
  • the plugins setting enabled is set to false


The following headers will be applied by default. You can override them in the config file.


return [
    'bnomei.securityheaders.headers' => [
        "X-Powered-By" => "", // unset
        "X-Frame-Options" => "SAMEORIGIN",
        "X-XSS-Protection" => "1; mode=block",
        "X-Content-Type-Options" => "nosniff",
        "strict-transport-security" => "max-age=31536000; includeSubdomains",
        "Referrer-Policy" => "no-referrer-when-downgrade",
        "Permissions-Policy" => 'interest-cohort=()', // flock-off,
        // ... FEATURE POLICIES
    // other options...


The Loader is used to initally create the CSPBuilder object with a given set of data. You skip that, forward a file to load, provide an array or use the default loader file. Using a custom file is recommended when for example adding additional font-src for google web fonts.


return [
    'bnomei.securityheaders.loader' => function () {
        // null if you do NOT want to use default and/or just the setter
            return null;
        // return path of file (json or yaml)
        // or an array of options for the cspbuilder
            return [...];
            return kirby()->roots()->site() . '/your-csp.json';
            return kirby()->roots()->site() . '/your-csp.yml';
        // otherwise forward the default file from this plugin
        return __DIR__ . '/loader.json';
    // other options...


The Setter is applied after the Loader. Use it to add dynamic stuff like hashes and nonces.


return [
    'bnomei.securityheaders.setter' => function (\Bnomei\SecurityHeaders $instance) {
        /** @var ParagonIE\CSPBuilder\CSPBuilder $csp */
            $csp = $instance->csp();
            $nonce = $instance->setNonce('my-inline-script');
            $csp->nonce('script-src', $nonce);
        // in your template retrieve it again with
            $nonce = $page->nonce('my-inline-script');
            => `THIS-IS-THE-NONCE`
            $attr = $page->nonceAttr('my-inline-script');
            => `nonce="THIS-IS-THE-NONCE"`
    // other options...

TIP: nonces are set in the setter and later retrieved using $page->nonce(...) or $page->nonceAttr(...).

Panel and Frontend Nonces

This plugin automatically registers Kirbys nonce for the panel. For convenience it also provides you with a single frontend nonce to use as attribute in <link>, <style> and <script> elements. You can retrieve the nonce with site()->nonce() and the full attribute with site()->nonceAttr().

<?php ?>

<script nonce="<?= site()->nonce() ?>">
// ...

<style <?= site()->nonceAttr() ?>>


TIP: The srcset plugin uses that frontend nonce as well.


bnomei.securityheaders. Default Description
enabled true or false or 'force' will set headers
seed callback returns a seed for frontend nonce
headers array of sensible default values. modify as needed.
loader callback returning filepath or array
setter callback instance which allows customizing the CSPBuilder



This plugin is provided "as is" with no guarantee. Use it at your own risk and always test it yourself before using it in a production environment. If you find any issues, please create a new issue.



It is discouraged to use this plugin in any project that promotes racism, sexism, homophobia, animal abuse, violence or any other form of hate speech.