PHPackages blackbird/module-csp-manager - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. blackbird/module-csp-manager ActiveMagento2-module[Security](/categories/security) blackbird/module-csp-manager ============================ A Magento 2 module to manage Content Security Policy (CSP) rules directly from the CLI and env.php, including automatic CSP header splitting. 1.0.1(1mo ago)018↑566.7%MITPHPPHP ^8.2 Since Mar 9Pushed 1mo agoCompare [ Source](https://github.com/blackbird-agency/magento-2-csp-manager)[ Packagist](https://packagist.org/packages/blackbird/module-csp-manager)[ RSS](/packages/blackbird-module-csp-manager/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (2)Versions (3)Used By (0) Blackbird CSP Manager ===================== [](#blackbird-csp-manager) [![Latest Stable Version](https://camo.githubusercontent.com/73aebac629653f79ca616ad3120d91101d95fb3e1d754bb617cbb58da0741969/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f626c61636b626972642f6d6f64756c652d6373702d6d616e616765722e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/blackbird/module-csp-manager)[![License: MIT](https://camo.githubusercontent.com/7ced8f382a18eed88961c602c11d2f43e3b9dd060c65441def358e3c47b4201b/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f626c61636b626972642d6167656e63792f6d6167656e746f2d322d6373702d6d616e616765722e7376673f7374796c653d666c61742d737175617265)](./LICENSE.txt) This module allows managing Content Security Policy (CSP) rules directly from the Magento command line (CLI). The rules are stored in the `app/etc/env.php` file, which allows for environment-specific management without going through the database or the backoffice. **Important:** The rules managed by this module are **added to** (not replacing) the existing Magento CSP rules defined in `csp_whitelist.xml` files. Key functionality includes: - Manage additional (additive to `csp_whitelist.xml`) CSP values via CLI. - Automatic injection of rules into the native Magento collector (`Magento\Csp\Model\CompositePolicyCollector`). - Management of automatic CSP header splitting (`Content-Security-Policy` and `Content-Security-Policy-Report-Only`): - Splitting into multiple headers if the length exceeds a configurable limit (default 8192 bytes). - Configuration possible via the Backoffice (Services > CSP Manager). ### Security [](#security) This module is designed to be **safe from SQL injections**. All configuration is handled through the Magento CLI and stored directly in the `app/etc/env.php` file. Since no database storage is used for the CSP rules themselves, it eliminates the risk of SQL-based attacks for CSP management. Additionally, this approach provides several security benefits: - **Protects against stolen Back Office accounts**: Even if an administrator account is compromised, the attacker cannot modify CSP rules via the Magento Admin Panel, as the configuration is stored in a file that is typically read-only for the web server and only manageable via CLI. - **Prevents automatic allowing of injected scripts**: Malicious scripts that might gain access to the database cannot dynamically white-list themselves by injecting new CSP rules into the configuration, ensuring that the security policies remain under strict developer/sysadmin control. The source code is available at the [GitHub repository](https://github.com/blackbird-agency/magento-2-csp-manager). --- Setup ----- [](#setup) ### Get the Package [](#get-the-package) #### **Zip Package:** [](#zip-package) Unzip the package into `app/code/Blackbird/CSPManager`, from the root of your Magento instance. #### **Composer Package:** [](#composer-package) ``` composer require blackbird/module-csp-manager ``` ### Install the Module [](#install-the-module) Go to your Magento root directory, then run the following Magento commands: **If you are in production mode, do not forget to recompile and redeploy the static resources, or to use the `--keep-generated` option.** ``` bin/magento module:enable Blackbird_CSPManager bin/magento setup:upgrade bin/magento cache:flush ``` --- Features -------- [](#features) ### Usage via CLI [](#usage-via-cli) #### Add value(s) to a directive [](#add-values-to-a-directive) Adds one or more values to an existing or new directive. Note that these values are added additionally to any values already defined in Magento's `csp_whitelist.xml` files. ``` bin/magento csp:rule:add [directive] "[value1]" "[value2]" ... ``` Example: ``` bin/magento csp:rule:add img-src "mysite.com" "anothersite.com" ``` If the directive does not exist, it is created in env.php. If it exists, the new values are added to existing values (no duplicates). #### Overwrite/Set a complete directive [](#overwriteset-a-complete-directive) Sets the values for a directive in `env.php`. Note that these values are **still additive** to those defined in `csp_whitelist.xml` files; this command only overwrites other values managed by this module in `env.php`. ``` bin/magento csp:rule:set [directive] "[value]" ``` Example: ``` bin/magento csp:rule:set img-src "mysite.com cdn.mysite.com" ``` This command replaces the current value of the directive with the provided one. #### Unset a complete directive [](#unset-a-complete-directive) ``` bin/magento csp:rule:unset [directive] ``` Example: ``` bin/magento csp:rule:unset img-src ``` This command is the inverse of `csp:rule:set` to completely remove a directive. #### List rules [](#list-rules) ``` bin/magento csp:rule:list ``` #### Remove value(s) or a directive [](#remove-values-or-a-directive) ``` bin/magento csp:rule:remove [directive] [value1] [value2] ... ``` Example to remove specific value(s): ``` bin/magento csp:rule:remove img-src "mysite.com" "anothersite.com" ``` Example to remove a complete directive: ``` bin/magento csp:rule:remove img-src ``` Note: The `add`, `set`, `remove`, and `unset` commands validate that the directive passed as an argument is valid according to the CSP specification (list from MDN). **Important:** After making any changes to CSP rules, you should clean the `full_page` cache to reflect the changes on the frontend: ``` bin/magento cache:clean full_page ``` ### Technical Configuration [](#technical-configuration) The rules are stored in `app/etc/env.php` under the `csp` key: ```