limesoda-com/ls-security-headers 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

limesoda-com/ls-security-headers

Composer 安装命令:

composer require limesoda-com/ls-security-headers

包简介

Configures security headers like content security policy

README 文档

README

TYPO3 13

TYPO3 Extension ls_security_headers

This extension offers configurable security headers for the frontend. You can easily create and manage them in a database record of your root page in the TYPO3 backend.
This comes in handy if for example resources are regularly added/changed, and you need to update the content security policy (CSP) accordingly.
The extension also offers the generation of CSP nonces.

Setup

  1. Install the extension by using composer
  2. Import the provided site set in your site config or set it as dependency in the site set of your site package(s)
  3. Create a "Security Headers" record on the root page and configure the desired headers
  4. Validate your configuration with the scanners of HTTP Observatory, securityheaders.com and/or many others.

Important Notes

  • It's highly recommended to use this extension only if the TYPO3 core feature security.frontend.enforceContentSecurityPolicy is disabled.
  • Security Headers that are defined in the .htaccess or in some other server configuration will not be overwritten.
  • If EXT:staticfilecache is used, you have to extend the validHtaccessHeaders extension setting.
  • Security Headers for the TYPO3 Backend can be defined in settings.php or additional.php with the BE setting "HTTP".

Features

Nonce support

This extension includes a TypoScript helper function for generating CSP nonces.
All the nonces generated by the function during the request will automatically be added to the Content-Security-Policy header at the end of the request.
Basic usage:

<style nonce="{f:cObject(typoscriptObjectPath: 'lib.cspNonce', data: {length: '32', policy: 'style'})}">

The policy argument defines the policy the nonce should be added to (style for style-src, script for script-src, ...). The length argument defines the length of the nonce in bytes.

Furthermore, it's possible to get the nonce output as attribute with the flag asAttribute = '1'. A possible use case is the replacement feature of TypoScript:

page.headerData.200 = COA
page.headerData.200 {
    10 = TEXT
    10.value (
        <script###NONCE###>
            console.log('Hello World');
        </script>
    )
    10.value {
        replacement {
            1 {
                search = ###NONCE###
                replace.stdWrap.postUserFuncInt = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce
                replace.stdWrap.postUserFuncInt {
                    length = 32
                    policy = script
                    asAttribute = 1
                }
            }
        }
    }
}

Additionally, you can write your own library for the cObject-ViewHelper:

lib.nonceAttribute = USER_INT
lib.nonceAttribute {
    userFunc = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce
    length = 32
    policy = script
    asAttribute = 1
}

CSP Reporting

Local Reporting

The extension provides local CSP reporting that can be enabled in the extension settings. The reports are stored in
the database and can be accessed in the TYPO3 backend module "Security Headers". Additionally, a dashboard widget is
available for a quick overview.

External Reporting

The extension supports external reporting of Content Security Policy (CSP) violations. To configure this, open the
"Content Security Policy (CSP)" tab in the security headers record and scroll to the "External reporting" fieldset
at the bottom. There, you can enable reporting and define the endpoint name and URL to which CSP violation reports
should be sent. If external reporting is enabled, local reporting is automatically disabled.

Ressources

limesoda-com/ls-security-headers 适用场景与选型建议

limesoda-com/ls-security-headers 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 3.15k 次下载、GitHub Stars 达 4, 最近一次更新时间为 2023 年 01 月 04 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「extension」 「TYPO3 CMS」 「security headers」 「LIMESODA」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 limesoda-com/ls-security-headers 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 limesoda-com/ls-security-headers 我们能提供哪些服务?
定制开发 / 二次开发

基于 limesoda-com/ls-security-headers 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 3.15k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 4
  • 点击次数: 5
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 4
  • Watchers: 6
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: GPL-2.0-or-later
  • 更新时间: 2023-01-04