dnadesign/silverstripe-securityheaders
最新稳定版本:1.2
Composer 安装命令:
composer require dnadesign/silverstripe-securityheaders
包简介
Enable setting of content security policy (CSP)
README 文档
README
Security headers module for Silverstripe v4. Enable setting of content security policy (CSP).
Setting CSP rules
You should set your own rules in your yml file. Below is just a basic usages example.
The basic usage
DNADesign\SecurityHeaders\SecurityHeadersExtension: # Add exceptions per page type - Optional exceptions: - PageType headers: - ... whitelist: - ...
Add the adequate rules in your local _config/.yml file
# CSP extended e.g DNADesign\SecurityHeaders\SecurityHeadersExtension: headers: Strict-Transport-Security: 'max-age=31536000; includeSubDomains' X-Frame-Options: 'SAMEORIGIN' Access-Control-Allow-Origin: 'self' X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Content-Security-Policy: whitelist whitelist: default-src: data: - '''none''' script-src: data: - '''self''' - '''unsafe-inline''' - '''unsafe-eval''' style-src: data: - '''self''' - '''unsafe-inline''' font-src: data: - '''self''' img-src: data: - '''self''' - 'data:' - 'https://www.google.com' form-action: data: - '''self''' manifest-src: data: - '''self''' frame-src: data: - 'https://www.google.com' frame-ancestors: data: - '''self''' connect-src: data: - '''self''' - 'https://www.google.com' base-uri: data: - '''self'''
Testing
You can test your CSP rules with CSP Evaluator and Caspr:Enforcer
References
This module was based on guttmann/silverstripe-security-headers
Disclaimer
I am not a security expert - there are no default header rules used in this module, you should do your on research and see if anything from the above example fits your needs.
Please send me a pull request for any issues you spot or improvements that can be made.
统计信息
- 总下载量: 941
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 2
- 点击次数: 3
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: BSD-3-Clause
- 更新时间: 2022-05-22