PHPackages                             bnomei/kirby3-security-headers - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Parsing &amp; Serialization](/categories/parsing)
4. /
5. bnomei/kirby3-security-headers

ActiveKirby-plugin[Parsing &amp; Serialization](/categories/parsing)

bnomei/kirby3-security-headers
==============================

Kirby Plugin for easier Security Headers setup

5.2.0(1mo ago)287.8k—1.4%5[3 PRs](https://github.com/bnomei/kirby3-security-headers/pulls)MITPHPPHP &gt;=8.2.0CI failing

Since Jul 26Pushed 1mo ago1 watchersCompare

[ Source](https://github.com/bnomei/kirby3-security-headers)[ Packagist](https://packagist.org/packages/bnomei/kirby3-security-headers)[ RSS](/packages/bnomei-kirby3-security-headers/feed)WikiDiscussions master Synced today

READMEChangelog (10)Dependencies (15)Versions (54)Used By (0)

Kirby Content Security Policy Header
====================================

[](#kirby-content-security-policy-header)

[![Kirby 5](https://camo.githubusercontent.com/b1a1b2ccd58e96259a9722c2489d91f40378c01b6c4c3e9fd27ed1d12c269d7c/68747470733a2f2f666c61742e62616467656e2e6e65742f62616467652f4b697262792f353f636f6c6f723d454343373438)](https://getkirby.com)[![PHP 8.2](https://camo.githubusercontent.com/fd050028b4459f3f6e4db5703412957375ceb180d27951213d421eb2a23c8c8e/68747470733a2f2f666c61742e62616467656e2e6e65742f62616467652f5048502f382e323f636f6c6f723d3445354239332669636f6e3d706870266c6162656c)](https://camo.githubusercontent.com/fd050028b4459f3f6e4db5703412957375ceb180d27951213d421eb2a23c8c8e/68747470733a2f2f666c61742e62616467656e2e6e65742f62616467652f5048502f382e323f636f6c6f723d3445354239332669636f6e3d706870266c6162656c)[![Release](https://camo.githubusercontent.com/38af0c4ed0bba90d80f3ff45348fc00e74146a7461122644fec022a41ea316e1/68747470733a2f2f666c61742e62616467656e2e6e65742f7061636b61676973742f762f626e6f6d65692f6b69726279332d73656375726974792d686561646572733f636f6c6f723d6165383166662669636f6e3d676974687562266c6162656c)](https://camo.githubusercontent.com/38af0c4ed0bba90d80f3ff45348fc00e74146a7461122644fec022a41ea316e1/68747470733a2f2f666c61742e62616467656e2e6e65742f7061636b61676973742f762f626e6f6d65692f6b69726279332d73656375726974792d686561646572733f636f6c6f723d6165383166662669636f6e3d676974687562266c6162656c)[![Downloads](https://camo.githubusercontent.com/682b4e29ea649842ee5b2cd204ec47d605a76185fc5ec6cc5746d11bb737fdf9/68747470733a2f2f666c61742e62616467656e2e6e65742f7061636b61676973742f64742f626e6f6d65692f6b69726279332d73656375726974792d686561646572733f636f6c6f723d3237323832322669636f6e3d676974687562266c6162656c)](https://camo.githubusercontent.com/682b4e29ea649842ee5b2cd204ec47d605a76185fc5ec6cc5746d11bb737fdf9/68747470733a2f2f666c61742e62616467656e2e6e65742f7061636b61676973742f64742f626e6f6d65692f6b69726279332d73656375726974792d686561646572733f636f6c6f723d3237323832322669636f6e3d676974687562266c6162656c)[![Discord](https://camo.githubusercontent.com/36eaef1b06f4996feb7587aa3281dcbd658e57535bc6b5e10110ed108e7a7a03/68747470733a2f2f666c61742e62616467656e2e6e65742f62616467652f646973636f72642f626e6f6d65693f636f6c6f723d3732383964612669636f6e3d646973636f7264266c6162656c)](https://discordapp.com/users/bnomei)[![Buymecoffee](https://camo.githubusercontent.com/62e55d1129b82bf9c2fd4656451e81ab87a9787e7c9676ca58276532ed9666ee/68747470733a2f2f666c61742e62616467656e2e6e65742f62616467652f69636f6e2f646f6e6174653f69636f6e3d6275796d6561636f6666656526636f6c6f723d464638313346266c6162656c)](https://www.buymeacoffee.com/bnomei)

Kirby Plugin for easier Content Security Policy (CSP) Headers setup.

Installation
------------

[](#installation)

- unzip [master.zip](https://github.com/bnomei/kirby3-security-headers/archive/master.zip) as folder `site/plugins/kirby3-security-headers` or
- `git submodule add https://github.com/bnomei/kirby3-security-headers.git site/plugins/kirby3-security-headers` or
- `composer require bnomei/kirby3-security-headers`

Default CSP Headers
-------------------

[](#default-csp-headers)

The following headers will be applied by default, you do not need to set them explicitly. They provide a good starting point for most websites and ensure a sane level of security.

```
X-Powered-By:                 "" # unset
X-Frame-Options:              "SAMEORIGIN"
X-XSS-Protection:             "1; mode=block"
X-Content-Type-Options:       "nosniff"
Strict-Transport-Security:    "max-age=31536000; includeSubdomains"
Referrer-Policy:              "no-referrer-when-downgrade"
Permissions-Policy:           "interest-cohort=()" # flock-off
# + various Feature-Policies...
```

Tip

See `\Bnomei\SecurityHeaders::HEADERS_DEFAULT` for more details.

Zero Configuration? Almost.
---------------------------

[](#zero-configuration-almost)

Installing the plugin is enough to protect your website. A `route:before`-hook takes care of sending the CSP headers automatically. But you will most likely need to customize the CSP headers when using third-party services like

- Content Delivery Networks (CDN),
- analytic scripts like Google-Tag-Manager/Fathom/Matomo/Piwik/Plausible/Umami,
- embedding external media like from Youtube/Vimeo/Instagram/X,
- external newsletter sign-up forms from Brevo/Mailchimp/Mailjet/Mailcoach,
- any other third-party service not hosted on your domain or subdomain or
- when using inline `` and/or ``.

Tip

The plugin will automatically disable itself on local setups to not get in your way while developing. To test the CSP headers locally, you can use the `'bnomei.securityheaders.enabled' => true,` option to enforce sending the headers.

Customizing CSP Headers &amp; Nonces
------------------------------------

[](#customizing-csp-headers--nonces)

You can customize the CSP headers by providing a custom **Loader** and/or **Setter** via the Kirby config.

### Loader

[](#loader)

The Loader is used to initially create the CSP-Builder object with a given set of mostly static data. You can provide a path to a file, return an array or `null` to create blank CSP-Builder object.

Tip

See `\Bnomei\SecurityHeaders::LOADER_DEFAULT` for more details.

Warning

Consider using a custom loader ONLY if you find yourself adding a lot of configurations in the Setter. The default loader is already quite extensive and should cover most use-cases.

### Setter

[](#setter)

The **Setter** is applied after the **Loader**. Use it to add dynamic stuff like rules for external services, hashes and nonces.

**/site/config/config.php**

```
