PHPackages experius/module-csp - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. experius/module-csp ActiveMagento2-module[Security](/categories/security) experius/module-csp =================== Provide a basic Content Security Policy Allowed List and report blocked resources. 2.0.3(4y ago)3584.3k↓14.9%13[4 issues](https://github.com/experius/Magento-2-Module-Experius-Csp/issues)[1 PRs](https://github.com/experius/Magento-2-Module-Experius-Csp/pulls)OSL-3.0PHP Since Jun 15Pushed 3y ago5 watchersCompare [ Source](https://github.com/experius/Magento-2-Module-Experius-Csp)[ Packagist](https://packagist.org/packages/experius/module-csp)[ RSS](/packages/experius-module-csp/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)DependenciesVersions (57)Used By (0) Mage2 Module Experius Csp ========================= [](#mage2-module-experius-csp) ``` experius/module-csp ``` - [Installation](#markdown-header-installation) - [Main Functionalities](#markdown-header-main-functionalities) - [Basic allowed list](#markdown-header-basic-allowed-list) - [Content Security Policy Reporting & whitelisting](#markdown-header-content-security-policy-reporting-&-whitelisting) - [Add a resource to the allowed list permanently](#markdown-header-add-a-resource-to-the-allowed-list-permanently) Installation ------------ [](#installation) In production please use the `--keep-generated` option - Install the module composer by running `composer require experius/module-csp` - enable the module by running `php bin/magento module:enable Experius_Csp` - apply database updates by running `php bin/magento setup:upgrade` - Flush the cache by running `php bin/magento cache:flush` Main Functionalities -------------------- [](#main-functionalities) Provide a basic Content Security Policy allowed-list (whitelist) and when the Resource should be blocked it will automatically be reported within the Experius CSP Report Table (experius\_csp\_report). When there is a report of a blocked directive is found, an error message will be show in the admin to notify the developer/client. These reports can be whitelisted for directive which allow this. See "Content Security Policy Reporting & whitelisting" below for an example and more details. ### IMPORTANT: Content Security Policy Report Only Mode [](#important-content-security-policy-report-only-mode) In the upcoming Magento 2.4 Release then the Content Security Policy Report Only Mode then will be disabled and it will validate strict. The report-to has been disabled in this version because it is not working properly. See: \\Experius\\Csp\\Plugin\\Magento\\Framework\\App\\Response\\HttpInterface::beforeSetHeader ### Basic allowed list [](#basic-allowed-list) Currently this module contains a basic whitelist of considerd "safe" sources. A few examples: - Google Fonts - Google Maps - Dotdigital / Dotmailer Chat - Buckaroo - etc. For a full list for each directive, please check the following file: ``` etc/csp_whitelist.xml ``` ### Content Security Policy Reporting & whitelisting [](#content-security-policy-reporting--whitelisting) In the Magento Admin you can view the reports which are created. ``` System > Tools > CSP reporting & whitelist ``` [![Scheme](Docs/Screenshots/report-view.png)](Docs/Screenshots/report-view.png) To avoid clutter a counter is introduced, which prevents the table from growing in size excessively with many pageviews. This is grouped by "violated\_directive", "blocked\_uri" and "document\_uri". @TODO: \[Nice to have\] consider letting louse "document\_uri", since whitelist is applied across the entire Magento installation (globally). ### Add a resource to the allowed list permanently [](#add-a-resource-to-the-allowed-list-permanently) Based on the reports you can easily add a csp\_whitelist.xml file within your own modules and when you are done just delete the record because it no longer is relevant. More information about how this xml file works you can find here: ``` https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html ``` For example Report: - document\_uri: - referer: - violated\_directive: img-src - original\_policy: font-src fonts.googleapis.com fonts.gstatic.com 'self' 'unsafe-inline'; form-action 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src cdn.dnky.co youtube.com [www.youtube.com](http://www.youtube.com) https:/ - blocked\_uri: [https://maps.gstatic.com/mapfiles/openhand\_8\_8.cur](https://maps.gstatic.com/mapfiles/openhand_8_8.cur) - date: 2020-06-25 16:42:23 Fix: ``` # app/code/Custom/Csp/etc/csp_whitelist *.gstatic.com ``` ### Health Score 41 — FairBetter than 89% of packages Maintenance18 Infrequent updates — may be unmaintained Popularity43 Moderate usage in the ecosystem Community22 Small or concentrated contributor base Maturity69 Established project with proven stability Bus Factor3 3 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~14 days Recently: every ~46 days Total 48 Last Release 1494d ago Major Versions 1.8.3 → 2.0.02021-12-21 ### Community Maintainers ![](https://www.gravatar.com/avatar/c7e58de96a040039bac3b892c000da2ee83d6adaafc1abc7519c5ceb0c81cc91?d=identicon)[experius](/maintainers/experius) --- Top Contributors [![borisvankatwijk](https://avatars.githubusercontent.com/u/6112053?v=4)](https://github.com/borisvankatwijk "borisvankatwijk (24 commits)")[![lewisvoncken](https://avatars.githubusercontent.com/u/6040343?v=4)](https://github.com/lewisvoncken "lewisvoncken (20 commits)")[![Hexmage](https://avatars.githubusercontent.com/u/22170051?v=4)](https://github.com/Hexmage "Hexmage (20 commits)")[![DjQuinnEXP](https://avatars.githubusercontent.com/u/73698306?v=4)](https://github.com/DjQuinnEXP "DjQuinnEXP (7 commits)")[![MatthijsBreed](https://avatars.githubusercontent.com/u/46493844?v=4)](https://github.com/MatthijsBreed "MatthijsBreed (5 commits)")[![dylanmaurits](https://avatars.githubusercontent.com/u/76950827?v=4)](https://github.com/dylanmaurits "dylanmaurits (4 commits)")[![CsSatter](https://avatars.githubusercontent.com/u/22871862?v=4)](https://github.com/CsSatter "CsSatter (3 commits)")[![jobstokerexperius](https://avatars.githubusercontent.com/u/82587950?v=4)](https://github.com/jobstokerexperius "jobstokerexperius (2 commits)")[![tools-utrecht-hh](https://avatars.githubusercontent.com/u/5173161?v=4)](https://github.com/tools-utrecht-hh "tools-utrecht-hh (1 commits)")[![Dulshad](https://avatars.githubusercontent.com/u/57455107?v=4)](https://github.com/Dulshad "Dulshad (1 commits)")[![experius-nl](https://avatars.githubusercontent.com/u/5173161?v=4)](https://github.com/experius-nl "experius-nl (1 commits)")[![florisschreuder](https://avatars.githubusercontent.com/u/57114356?v=4)](https://github.com/florisschreuder "florisschreuder (1 commits)")[![TonMattonExperius](https://avatars.githubusercontent.com/u/69511830?v=4)](https://github.com/TonMattonExperius "TonMattonExperius (1 commits)") ### Embed Badge ![Health badge](/badges/experius-module-csp/health.svg) ``` [![Health](https://phpackages.com/badges/experius-module-csp/health.svg)](https://phpackages.com/packages/experius-module-csp) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)