PHPackages                             hk2/csp - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. hk2/csp

ActiveMagento2-module[Security](/categories/security)

hk2/csp
=======

Magento 2 module to manage CSP whitelisted URLs

1.0.3(1y ago)0641MITPHPPHP ^7.3.0|^7.4.0|^8.0|^8.1.0|^8.2.0

Since Jun 16Pushed 2mo ago1 watchersCompare

[ Source](https://github.com/basantmandal/magento2-hk2-csp-whitelisting-module)[ Packagist](https://packagist.org/packages/hk2/csp)[ Docs](https://www.basantmandal.in/)[ RSS](/packages/hk2-csp/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (3)Dependencies (1)Versions (5)Used By (0)

HK2 CSP Whitelisting for Magento 2
==================================

[](#hk2-csp-whitelisting-for-magento-2)

[![Version](https://camo.githubusercontent.com/e2367100cba06fb4b49ccbd7f8af46d40475360ed7a8848eb3865ba62c16ba65/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f76657273696f6e2d312e302e302d626c75653f7374796c653d666f722d7468652d6261646765)](https://camo.githubusercontent.com/e2367100cba06fb4b49ccbd7f8af46d40475360ed7a8848eb3865ba62c16ba65/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f76657273696f6e2d312e302e302d626c75653f7374796c653d666f722d7468652d6261646765)[![Website](https://camo.githubusercontent.com/ac8e0c230dc3e78c7d70b2215a8c1a1518802e9c29db9e4b3d079bad66ecd0c3/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f776562736974652d3030303f7374796c653d666f722d7468652d6261646765)](https://www.basantmandal.in/)[![LinkedIn](https://camo.githubusercontent.com/1c83d60824b029ddbca838eefa03286957b4c8f622ab322b8ff5ee04c4676cac/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c696e6b6564696e2d3041363643323f7374796c653d666f722d7468652d6261646765266c6f676f3d6c696e6b6564696e)](https://www.linkedin.com/in/basantmandal/)

---

Overview
--------

[](#overview)

**HK2 CSP Whitelisting** is a Magento 2 extension that provides a **centralized, admin-managed interface** to configure and maintain **Content Security Policy (CSP) whitelists** without editing XML files or touching core code.

The module is designed for:

- Managing CSP directives from Admin UI
- Safely allowing third-party scripts, styles, and assets
- Debugging CSP violations during development
- Maintaining Magento 2.4.x CSP compliance

The extension works **alongside Magento’s native CSP system**, automatically merging admin-defined values with `csp_whitelist.xml`.

> ⚠ **Important:**For manual installation, the **HK2 Core** package (`hk2/core`) must be installed first.

---

Key Features
------------

[](#key-features)

- **Admin-Managed CSP Directives**
    Configure and manage CSP policies directly from the Magento Admin Panel — no XML or code changes required.
- **Supported CSP Policies**
    Manage commonly used CSP directives including:

    - `script-src`
    - `style-src`
    - `img-src`
    - `connect-src`
    - `font-src`
    - `frame-src`
- **Automatic CSP Merging**
    Admin-defined values are **safely merged** with existing `csp_whitelist.xml` rules, never overwritten.
- **Multi-Scope Configuration**
    Fully supports all Magento configuration scopes:

    - Default
    - Website
    - Store View
- **One-Click Reset to Default**
    Instantly clear all saved CSP values and restore fallback behavior using a dedicated admin reset button.
- **Default Policies Included**
    Ships with preconfigured CSP rules for commonly used third-party services such as: Google, Stripe, Facebook, YouTube, Tailwind CSS, jsDelivr, ContentSquare, NitroPack, and more.
- **CSP-Safe &amp; Magento-Compliant**
    Built in full compliance with Magento 2.4.x CSP standards:

    - No inline JavaScript
    - No `unsafe-inline`
    - No `unsafe-eval`
- **Magento-Native Architecture**
    Leverages Magento’s native CSP collectors, configuration, and caching systems for maximum compatibility.
- **Lightweight &amp; Production-Safe**
    No frontend overrides, no performance impact, and fully compatible with production mode.

System Requirements
-------------------

[](#system-requirements)

- **Magento Open Source / Adobe Commerce:** 2.4.x
- **PHP:** 8.1 or higher
- **Database:** MySQL 8.0 / MariaDB 10.4+
- **Dependency:** `hk2/core` v1.0+ (required)

> Magento 2.3.x is end-of-life and not supported.

---

Installation
------------

[](#installation)

### Composer (Recommended)

[](#composer-recommended)

From the Magento root directory:

```
composer require hk2/csp-whitelisting
```

This automatically installs the required **HK2 Core** dependency.

---

### Manual Installation

[](#manual-installation)

1. Install **HK2 Core**:

```
app/code/HK2/Core
```

2. Create the module directory:

```
app/code/HK2/CspWhitelisting
```

3. Copy the module files into the directory.

---

### Enable the Module

[](#enable-the-module)

```
php bin/magento module:enable HK2_CspWhitelisting
php bin/magento setup:upgrade
php bin/magento cache:flush
```

Optional (production mode):

```
php bin/magento setup:di:compile
php bin/magento setup:static-content:deploy
```

---

Configuration
-------------

[](#configuration)

Navigate to:

**Stores → Configuration → HK2 → CSP Whitelisting**

### Available Options

[](#available-options)

SettingDescriptionScript Src URLsComma-separated list for `script-src` directiveStyle Src URLsComma-separated list for `style-src` directiveImage Src URLsComma-separated list for `img-src` directiveConnect Src URLsComma-separated list for `connect-src` directiveFont Src URLsComma-separated list for `font-src` directiveFrame Src URLsComma-separated list for `frame-src` directiveReset CSP ButtonClears all saved CSP values and restores defaults---

Reset CSP Behavior
------------------

[](#reset-csp-behavior)

The **Reset CSP** button:

- Clears all saved values across **all scopes**
- Restores fallback behavior from `csp_whitelist.xml`
- Immediately clears admin UI textareas
- Re-initializes Magento config cache safely

This follows Magento’s native **“Reset to Default”** behavior.

---

CSP Merging Logic
-----------------

[](#csp-merging-logic)

This module **does not override** Magento CSP rules.

Final CSP header is composed of:

1. Core Magento CSP rules
2. Values from `csp_whitelist.xml`
3. Admin-configured values (merged per directive)

This ensures:

- Maximum compatibility
- Upgrade safety
- Predictable CSP behavior

---

Testing &amp; Verification
--------------------------

[](#testing--verification)

### Frontend Testing

[](#frontend-testing)

You can verify CSP behavior using:

- Browser DevTools → **Network → Response Headers**
- Browser Console CSP violation warnings
- Test scripts/styles from allowed and blocked sources

### Sample Test Page

[](#sample-test-page)

Create a CMS page and try loading:

- Allowed external JS (should load)
- Disallowed external JS (should be blocked)

---

Content Security Policy (CSP)
-----------------------------

[](#content-security-policy-csp)

This extension is fully compatible with Magento 2.4.x CSP system.

The module **does not use**:

- Inline JavaScript
- `unsafe-inline`
- `unsafe-eval`

### Supported Directives

[](#supported-directives)

- `script-src`
- `style-src`
- `img-src`
- `connect-src`
- `font-src`
- `frame-src`

All values are validated and merged safely.

---

Privacy &amp; Data Usage
------------------------

[](#privacy--data-usage)

- No personal data is collected
- No tracking or analytics
- No background requests
- External requests only occur if explicitly whitelisted

This module is **GDPR-safe by design**.

---

Compatibility &amp; Performance
-------------------------------

[](#compatibility--performance)

- Fully compatible with Magento 2.4.x
- Safe for production mode
- Compatible with static content deployment
- No performance impact on frontend or admin

---

Known Limitations
-----------------

[](#known-limitations)

- Does not modify core CSP logic
- Does not auto-detect CSP violations
- Inline scripts must still be refactored to comply with CSP

---

Support &amp; Contribution
--------------------------

[](#support--contribution)

Contributions are welcome:

1. Fork the repository
2. Create a feature branch
3. Commit and push your changes
4. Open a pull request

Support availability may vary.

---

Disclaimer
----------

[](#disclaimer)

This extension is provided **as-is**, without warranty of any kind. The author is not liable for damages resulting from the use of this module.

---

License
-------

[](#license)

**Open Software License (OSL-3.0)**

---

Author
------

[](#author)

**Basant Mandal**HK2 – Hash Tag Kitto

- Website:
- LinkedIn:
- Email:

---

###  Health Score

40

—

FairBetter than 88% of packages

Maintenance64

Regular maintenance activity

Popularity15

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity63

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~462 days

Total

3

Last Release

509d ago

PHP version history (2 changes)1.0.0PHP ^7.3.0|^7.4.0|^8.0|^8.1.0

1.0.2PHP ^7.3.0|^7.4.0|^8.0|^8.1.0|^8.2.0

### Community

Maintainers

![](https://www.gravatar.com/avatar/ffa270f1557c4c55c55fec1ad6f2544170980c8dd7f679c10582a3736f7d3a4c?d=identicon)[basantmandal](/maintainers/basantmandal)

---

Top Contributors

[![basantmandal](https://avatars.githubusercontent.com/u/69835601?v=4)](https://github.com/basantmandal "basantmandal (28 commits)")

---

Tags

cspmagento2moduleextensioncspmagento2HK2Basantbasantmandal.inHK2\_CspWhitelist URL CSP

### Embed Badge

![Health badge](/badges/hk2-csp/health.svg)

```
[![Health](https://phpackages.com/badges/hk2-csp/health.svg)](https://phpackages.com/packages/hk2-csp)
```

###  Alternatives

[opengento/module-webapi-logger

This module allows you to analyze all the webapi rest done call toward your Magento.

1014.9k](/packages/opengento-module-webapi-logger)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)