/kirby3-security-headers

Kirby Plugin for easier Security Headers setup

Primary LanguagePHPMIT LicenseMIT

Kirby Content Security Policy Header

Release Downloads Build Status Coverage Status Maintainability
Twitter

Kirby Plugin for easier Security Headers setup.

🔐 Why should you use this plugin? Because security matters. Protecting your own or your clients websites and their customers data is important.

  1. Automatic Setup
  2. Setup: Headers
  3. Setup: Loader
  4. Setup: Setter
  5. Frontend Nonce
  6. Settings

Commercial Usage


Support open source!

This plugin is free but if you use it in a commercial project please consider to sponsor me or make a donation.
If my work helped you to make some cash it seems fair to me that I might get a little reward as well, right?

Be kind. Share a little. Thanks.

‐ Bruno
 
M O N E Y
Github sponsor Patreon Buy Me a Coffee Paypal dontation Hire me

Installation

  • unzip master.zip as folder site/plugins/kirby3-security-headers or
  • git submodule add https://github.com/bnomei/kirby3-security-headers.git site/plugins/kirby3-security-headers or
  • composer require bnomei/kirby3-security-headers

Setup

Automatic

A route:before-hook takes care of setting the headers automatically unless one of the following conditions applies:

  • Kirbys global debug mode is true
  • Kirby determins it is a local setup
  • the plugins setting enabled is set to false

Header

The following headers will be applied by default. You can override them in the config file.

/site/config/config.php

<?php
return [
    'bnomei.securityheaders.headers' => [
        "X-Powered-By" => "", // unset
        "X-Frame-Options" => "SAMEORIGIN",
        "X-XSS-Protection" => "1; mode=block",
        "X-Content-Type-Options" => "nosniff",
        "strict-transport-security" => "max-age=31536000; includeSubdomains",
        "Referrer-Policy" => "no-referrer-when-downgrade",
        "Permissions-Policy" => 'interest-cohort=()', // flock-off,
        // ... FEATURE POLICIES
    // other options...
];

Loader

The Loader is used to initally create the CSPBuilder object with a given set of data. You skip that, forward a file to load, provide an array or use the default loader file. Using a custom file is recommended when for example adding additional font-src for google web fonts.

/site/config/config.php

<?php
return [
    'bnomei.securityheaders.loader' => function () {
        // https://github.com/paragonie/csp-builder#example
        // null if you do NOT want to use default and/or just the setter
        /*
            return null;
         */
        // return path of file (json or yaml)
        // or an array of options for the cspbuilder
        /*
            return [...];
            return kirby()->roots()->site() . '/your-csp.json';
            return kirby()->roots()->site() . '/your-csp.yml';
        */
        // otherwise forward the default file from this plugin
        return __DIR__ . '/loader.json';
    },
    // other options...
];

Setter

The Setter is applied after the Loader. Use it to add dynamic stuff like hashes and nonces.

/site/config/config.php

<?php
return [
    'bnomei.securityheaders.setter' => function (\Bnomei\SecurityHeaders $instance) {
        // https://github.com/paragonie/csp-builder#build-a-content-security-policy-programmatically
        /** @var ParagonIE\CSPBuilder\CSPBuilder $csp */
        /*
            $csp = $instance->csp();
            $nonce = $instance->setNonce('my-inline-script');
            $csp->nonce('script-src', $nonce);
        */
        // in your template retrieve it again with
        /*
            $nonce = $page->nonce('my-inline-script');
            => `THIS-IS-THE-NONCE`
            $attr = $page->nonceAttr('my-inline-script');
            => `nonce="THIS-IS-THE-NONCE"`
        */
    },
    // other options...
];

TIP: nonces are set in the setter and later retrieved using $page->nonce(...) or $page->nonceAttr(...).

Panel and Frontend Nonces

This plugin automatically registers Kirbys nonce for the panel. For convenience it also provides you with a single frontend nonce to use as attribute in <link>, <style> and <script> elements. You can retrieve the nonce with site()->nonce() and the full attribute with site()->nonceAttr().

<?php ?>

<script nonce="<?= site()->nonce() ?>">
// ...
</script>

<style <?= site()->nonceAttr() ?>>

</style>

TIP: The srcset plugin uses that frontend nonce as well.

Settings

bnomei.securityheaders. Default Description
enabled true or false or 'force' will set headers
seed callback returns a seed for frontend nonce
headers array of sensible default values. modify as needed.
loader callback returning filepath or array
setter callback instance which allows customizing the CSPBuilder

Dependencies

Disclaimer

This plugin is provided "as is" with no guarantee. Use it at your own risk and always test it yourself before using it in a production environment. If you find any issues, please create a new issue.

License

MIT

It is discouraged to use this plugin in any project that promotes racism, sexism, homophobia, animal abuse, violence or any other form of hate speech.