PHPackages altis/browser-security - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. altis/browser-security ActiveWordpress-plugin altis/browser-security ====================== Browser security utilities for WordPress/Altis 2.2.0(2mo ago)10210.1k↑15.8%2[7 issues](https://github.com/humanmade/altis-browser-security/issues)2GPL-2.0PHPPHP >=7.1CI failing Since Oct 29Pushed 2mo ago19 watchersCompare [ Source](https://github.com/humanmade/altis-browser-security)[ Packagist](https://packagist.org/packages/altis/browser-security)[ RSS](/packages/altis-browser-security/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)Dependencies (1)Versions (13)Used By (2) Altis Browser Security ====================== [](#altis-browser-security) Improve the browser security of your WordPress site. Built for, and included with, [Altis, the WordPress Digital Experience Platform for Enterprise](https://www.altis-dxp.com/). Installation ------------ [](#installation) You can use this plugin either directly as a submodule or as a Composer dependency. ``` # For submodule usage: git submodule add https://github.com/humanmade/altis-browser-security.git wp-content/plugins/altis-browser-security # For Composer usage: composer require altis/browser-security ``` Configuration ------------- [](#configuration) If you are using this as part of the [Altis DXP](https://www.altis-dxp.com/), configuration is handled via the configuration framework. Consult the [Altis security module documentation](https://www.altis-dxp.com/resources/docs/security/browser/). As a standalone plugin, you can use the following constants to change the behaviour of this module: - `ABS_AUTOMATIC_INTEGRITY` (`bool`): True to enable automatic generation of integrity hashes, false to disable. (True by default.) - `ABS_NOSNIFF_HEADER` (`bool`): True to send `X-Content-Type-Options: nosniff`, false to disable. (True by default.) - `ABS_FRAME_OPTIONS_HEADER` (`bool`): True to send `X-Frame-Options: SAMEORIGIN`, false to disable. (True by default.) - `ABS_XSS_PROTECTION_HEADER` (`bool`): True to send `X-XSS-Protection: 1; mode=block`, false to disable. (True by default.) Features -------- [](#features) ### Subresource Integrity [](#subresource-integrity) This plugin automatically adds [subresource integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) hashes where possible. These will be generated for any files on the same server; i.e. any plugin or theme assets. These hashes will be automatically cached in the object cache, linked to the filename and version of the script or stylesheet. For external assets, you can manually set the integrity hash. After enqueuing (or registering) your asset, use the `set_hash_for_script()` or `set_hash_for_style()` helpers: ``` // Setting hashes for scripts. use Altis\Security\Browser; wp_enqueue_script( 'my-handle', 'https://...' ); Browser\set_hash_for_script( 'my-handle', 'sha384-...' ); // Setting hashes for styles. use Altis\Security\Browser; wp_enqueue_style( 'my-handle', 'https://...' ); Browser\set_hash_for_style( 'my-handle', 'sha384-...' ); ``` ### Content-Security-Policy [](#content-security-policy) This plugin can gather and send [Content-Security-Policy policies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) for you automatically. **Out of the box, no policies are sent.** CSP policies tend to be specific to sites, so no assumptions are made about what you may want. Add a filter to `altis.security.browser.content_security_policies` to set policies. This filter receives an array, where the keys are the policy directive names. Each item can either be a string or a list of directive value strings: ``` add_filter( 'altis.security.browser.content_security_policies', function ( array $policies ) : array { // Policies can be set as strings. $policies['object-src'] = 'none'; $policies['base-uri'] = 'self'; // Policies can also be set as arrays. $policies['font-src'] = [ 'https://fonts.gstatic.com', 'https://cdnjs.cloudflare.com', ]; // Special directives (such as `unsafe-inline`) are handled for you. $policies['script-src'] = [ 'https:', 'unsafe-inline', ]; return $policies; } ); ``` Special directives (`'self'`, `'unsafe-inline'`, `'unsafe-eval'`, `'none'`, `'strict-dynamic'`) do not need to be double-quoted. You can also modify individual directives if desired: ``` // You can filter specific keys via the filter name. add_filter( 'altis.security.browser.filter_policy_value.font-src', function ( array $values ) : array { $values[] = 'https://fonts.gstatic.com'; return $values; } ); // A filter is also available with the directive name in a parameter. add_filter( 'altis.security.browser.filter_policy_value', function ( array $values, string $name ) : array { if ( $name === 'font-src' ) { $values[] = 'https://cdnjs.cloudflare.com'; } return $values; } ); ``` To build Content-Security-Policy policies, we recommend using the [Laboratory CSP toolkit extension](https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/) for Firefox, and the [CSP Evaluator tool](https://csp-evaluator.withgoogle.com/). #### Report-Only Policies [](#report-only-policies) To send a [Content-Security-Policy-Report-Only header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only), use the exact same process described above for the ordinary CSP policies with the alternative filter `altis.security.browser.report_only_content_security_policies`. An external service must be used to ingest the reports from Report-Only policies. The external service will provide you with a reporting URL which you can use by adding a `report-uri` directive with the appropriate URL for processing reports. As an example, you can add a reporting directive to your Report-Only policies by filtering the policies array: ``` add_filter( 'altis.security.browser.report_only_content_security_policies', function ( array $policies ) : array { $policies['report-uri'] = 'https://example.uriports.com/reports'; return $policies; } ); ``` You can also modify individual directives for use in report-only policies in the same manner described above using the filters, - `altis.security.browser.filter_report_only_policy_value.{ directive name }` - `altis.security.browser.filter_report_only_policy_value` Both normal and report-only policies may be used simultaneously. ### Security Headers [](#security-headers) This plugin automatically adds various security headers by default. These follow best-practices for web security and aim to provide a sensible, secure default. In some cases, you may want to adjust or disable these headers depending on the use cases of your site. #### Strict-Transport-Security [](#strict-transport-security) The [`Strict-Transport-Security` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (sometimes called HSTS) is used to enforce HTTPS (TLS/SSL) connections when loading a site and can be used to enhance the site's security. By default, Altis adds a `Strict-Transport-Security` header if your site is served over HTTPS, with the value set to `max-age=86400` (one day). If you want to override this value (such as for longer durations, or to specify `includeSubdomains`), you can define the `ABS_HSTS` constant: ``` define( 'ABS_HSTS', 'max-age=31536000; includeSubDomains' ); ``` To disable the automatic behaviour entirely, set the constant to `false`: ``` define( 'ABS_HSTS', false ); ``` #### X-Content-Type-Options [](#x-content-type-options) By default, Altis adds a [`X-Content-Type-Options` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) with the value set to `nosniff`. This prevents browsers from attempting to guess the content type based on the content, and instead forces them to follow the type set in the `Content-Type` header. This should generally always be sent, and your content type should always be set explicitly. If you need to disable it, set the `ABS_NOSNIFF_HEADER` constant: ``` define( 'ABS_NOSNIFF_HEADER', false ); ``` #### X-Frame-Options [](#x-frame-options) By default, Altis adds a [`X-Frame-Options` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) with the value set to `sameorigin`. This prevents your site from being iframed into another site, which can prevent [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking). This should generally always be sent, but in some cases, you may want to allow specific sites to iframe your site, or allow any sites. To disable the automatic header, set the `ABS_FRAME_OPTIONS_HEADER` constant: ``` define( 'ABS_FRAME_OPTIONS_HEADER', false ); ``` You can then send your own headers as needed. We recommend hooking into the `template_redirect` hook to send these headers. #### X-XSS-Protection [](#x-xss-protection) By default, Altis adds a [`X-XSS-Protection` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection?) with the value set to `1; mode=block`. This prevents browsers from loading if they detect [cross-site scripting (XSS) attacks](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)). This should generally always be sent. If you need to disable it, set the `ABS_XSS_PROTECTION_HEADER` header: ``` define( 'ABS_XSS_PROTECTION_HEADER', false ); ``` ### Restrict CORS origins [](#restrict-cors-origins) By default, WordPress will allow REST API requests from any Origin. This plugin adds a new filter `altis.security.browser.rest_allow_origin` to restrict [CORS origins](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS). To completely disallow external requests, set the filter to `false`: ``` add_filter( 'altis.security.browser.rest_allow_origin', '__return_false' ); ``` To allow specific origins only: ``` add_filter( 'altis.security.browser.rest_allow_origin', function ( $allow, $origin ) { $allowed_origins = [ 'https://www.example.com', ]; if ( in_array( $origin, $allowed_origins, true ) ) { return true; } return false; }, 10, 2 ); ``` To disallow all .local domains: ``` add_filter( 'altis.security.browser.rest_allow_origin', function ( $allow, $origin ) { if ( false !== strpos( $origin, '.local' ) ) { return false; } return $allow; }, 10, 2 ); ``` License ------- [](#license) Altis Browser Security is licensed under the GPLv2 or later. Copyright 2019 Human Made and contributors. ### Health Score 52 — FairBetter than 96% of packages Maintenance70 Regular maintenance activity Popularity41 Moderate usage in the ecosystem Community28 Small or concentrated contributor base Maturity60 Established project with proven stability Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~256 days Recently: every ~276 days Total 10 Last Release 83d ago Major Versions 1.2.0 → 2.0.02022-03-22 1.2.1 → 2.0.22023-02-27 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/21655?v=4)[Ryan McCue](/maintainers/rmccue)[@rmccue](https://github.com/rmccue) ![](https://www.gravatar.com/avatar/77dbeefb7745010589603f2ffc6ff310d8f700b58e08d52af190744c43342526?d=identicon)[roborourke](/maintainers/roborourke) ![](https://www.gravatar.com/avatar/f1d0ffccdc5d339ff98a91e1b224a0d92f93dc8c2f772124473a76655b83129c?d=identicon)[joehoyle](/maintainers/joehoyle) --- Top Contributors [![rmccue](https://avatars.githubusercontent.com/u/21655?v=4)](https://github.com/rmccue "rmccue (33 commits)")[![kadamwhite](https://avatars.githubusercontent.com/u/442115?v=4)](https://github.com/kadamwhite "kadamwhite (13 commits)")[![jerico](https://avatars.githubusercontent.com/u/1062325?v=4)](https://github.com/jerico "jerico (11 commits)")[![mikelittle](https://avatars.githubusercontent.com/u/358499?v=4)](https://github.com/mikelittle "mikelittle (8 commits)")[![roborourke](https://avatars.githubusercontent.com/u/23417?v=4)](https://github.com/roborourke "roborourke (7 commits)")[![mattheu](https://avatars.githubusercontent.com/u/494927?v=4)](https://github.com/mattheu "mattheu (4 commits)")[![mikeselander](https://avatars.githubusercontent.com/u/3021494?v=4)](https://github.com/mikeselander "mikeselander (1 commits)")[![joehoyle](https://avatars.githubusercontent.com/u/161683?v=4)](https://github.com/joehoyle "joehoyle (1 commits)")[![wisyhambolu](https://avatars.githubusercontent.com/u/22037320?v=4)](https://github.com/wisyhambolu "wisyhambolu (1 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/altis-browser-security/health.svg) ``` [![Health](https://phpackages.com/badges/altis-browser-security/health.svg)](https://phpackages.com/packages/altis-browser-security) ``` PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)