PHPackages                             hk2/csp - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. hk2/csp

ActiveMagento2-module[Security](/categories/security)

hk2/csp
=======

Magento 2 module to manage CSP whitelisted URLs

2.0.3(1mo ago)0685OSL-3.0PHPPHP ^8.1 || ^8.2 || ^8.3 || ^8.4CI passing

Since Jun 16Pushed 3w ago1 watchersCompare

[ Source](https://github.com/basantmandal/magento2-csp-whitelisting-module)[ Packagist](https://packagist.org/packages/hk2/csp)[ RSS](/packages/hk2-csp/feed)WikiDiscussions main Synced today

READMEChangelog (9)Dependencies (5)Versions (10)Used By (0)

[![Version](https://camo.githubusercontent.com/ea9ef426d7257249967444fc38f23d854e483b614a19030e12feb17fa0bb5ff5/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f76657273696f6e2d312e302e302d626c75653f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/ea9ef426d7257249967444fc38f23d854e483b614a19030e12feb17fa0bb5ff5/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f76657273696f6e2d312e302e302d626c75653f7374796c653d666c61742d737175617265)[![Magento](https://camo.githubusercontent.com/cc7afc3a994043bd5e1bbe18fdecdf4377481f03e2dc7a05728c3174c7da66bf/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4d6167656e746f2d322e342e782d6639373331363f7374796c653d666c61742d737175617265266c6f676f3d6d6167656e746f266c6f676f436f6c6f723d7768697465)](https://camo.githubusercontent.com/cc7afc3a994043bd5e1bbe18fdecdf4377481f03e2dc7a05728c3174c7da66bf/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4d6167656e746f2d322e342e782d6639373331363f7374796c653d666c61742d737175617265266c6f676f3d6d6167656e746f266c6f676f436f6c6f723d7768697465)[![PHP](https://camo.githubusercontent.com/2f2d39f30d9a245b748ead3268e5de0819ddab6c31a393904a4f33652b504e79/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322532422d3763336165643f7374796c653d666c61742d737175617265266c6f676f3d706870266c6f676f436f6c6f723d7768697465)](https://camo.githubusercontent.com/2f2d39f30d9a245b748ead3268e5de0819ddab6c31a393904a4f33652b504e79/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322532422d3763336165643f7374796c653d666c61742d737175617265266c6f676f3d706870266c6f676f436f6c6f723d7768697465)[![License](https://camo.githubusercontent.com/a3fd2257982f64afbde00a66a8ab5984ee3f6e176f00eb2ec4ea61d862bc113b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4f534c2d2d332e302d677265656e3f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/a3fd2257982f64afbde00a66a8ab5984ee3f6e176f00eb2ec4ea61d862bc113b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4f534c2d2d332e302d677265656e3f7374796c653d666c61742d737175617265)[![Packagist](https://camo.githubusercontent.com/1a2ea97e83c7e475b1acf3d42bf706b40bd90c2cab063f9e3e2d7591a11edd6a/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f686b322f6373703f7374796c653d666c61742d737175617265)](https://packagist.org/packages/hk2/csp)
[![Website](https://camo.githubusercontent.com/48510337f411c7e193a31e9bdb6802d49664918dac999471dcc705c9a94fa031/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f576562736974652d3030303f7374796c653d666c61742d737175617265266c6f676f3d6b6f2d6669266c6f676f436f6c6f723d7768697465)](https://www.basantmandal.in/)[![LinkedIn](https://camo.githubusercontent.com/f47f622117d99af4d0fcba939449e0949d2301d48601b78a25b6e7e1cf580d3e/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c696e6b6564496e2d3041363643323f7374796c653d666c61742d737175617265266c6f676f3d6c696e6b6564696e266c6f676f436f6c6f723d7768697465)](https://www.linkedin.com/in/basantmandal/)[![Email](https://camo.githubusercontent.com/4fb7fe62859d942d68ae2f48af7c8fb6165e8f1dc236fa5bbc970e01efff28ef/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f456d61696c2d737570706f7274253430626173616e746d616e64616c2e696e2d626c75653f7374796c653d666c61742d737175617265266c6f676f3d676d61696c)](mailto:support@basantmandal.in)

HK2 CSP Whitelisting — Magento 2 Module
=======================================

[](#hk2-csp-whitelisting--magento-2-module)

Manage Content Security Policy (CSP) whitelists in Magento 2 with zero overhead. Ships with a pre-built whitelist of 80+ trusted hosts and a flexible admin interface for adding custom origins.

---

Overview
--------

[](#overview)

Magento 2.4.x ships with a strict CSP mode that blocks inline scripts, external resources, and cross-origin requests by default. Extensions integrating third-party services (analytics, payment gateways, CDNs, social widgets) routinely violate these policies, causing broken checkout flows, missing assets, and console errors.

HK2 CSP Whitelisting solves this by providing a maintainable, audit-friendly CSP management layer — no core hacks, no compilation steps, no deployment pipelines required.

---

Problem Statement
-----------------

[](#problem-statement)

- Magento CSP violations break payment iframes, analytics scripts, and CDN assets silently.
- Default CSP configuration requires manual XML editing or compilation.
- Hardcoding hosts into `etc/csp_whitelist.xml` makes per-store or per-environment customisation impossible.
- Merchant-specific host additions are lost on module updates.

---

Solution Approach
-----------------

[](#solution-approach)

Three-layer CSP architecture:

1. **Safe-report-only defaults** — broad but safe directive coverage (`CSP.xml`), violations logged, nothing blocked.
2. **Pre-built whitelist** (`csp_whitelist.xml`) — 80+ verified hosts across 7 directives, updated per release.
3. **Admin custom whitelist** — 6 textarea fields per store view, persisted in DB, survives updates.

A plugin intercepts `Magento\Csp\Model\Policy\PolicyList::getAllPolicies` and merges all three layers into a single policy object. No template overrides, no layout handles, no public assets — purely server-side policy assembly.

---

Alternatives Considered
-----------------------

[](#alternatives-considered)

ApproachTrade-off`.htaccess` / `nginx` headersIgnores Magento CSP framework; breaks GraphQL and AJAX routesTemplate-level `` tagsUnsafe, client-side only, bypasses Magento CSP reporting`etc/csp_whitelist.xml` onlyPer-store overrides impossible; lost on updateThird-party CSP gateway (e.g. Sentry)Adds latency, cost, and another dependencyDisabling CSP entirelySecurity regression---

Who is this for?
----------------

[](#who-is-this-for)

- Magento 2 merchants using third-party integrations (analytics, payments, CDNs, social media).
- Agencies managing multi-store deployments with different CSP requirements per store.
- Developers needing a predictable, code-reviewed allowlist that doesn't break on module updates.
- Store owners preparing for PCI DSS 4.0 compliance (CSP requirements).

---

Use Cases
---------

[](#use-cases)

- **Payment gateways** — whitelist Stripe, PayPal, or Braintree script &amp; frame sources.
- **Analytics &amp; tracking** — Google Analytics, Tag Manager, Facebook Pixel, Hotjar, Klaviyo.
- **CDN assets** — jsDelivr, cdnjs, Cloudflare, Fontsource, Tailwind CSS.
- **Third-party widgets** — YouTube/Vimeo embeds, Trustpilot reviews, TikTok pixels.
- **Monitoring** — Sentry error tracking, Contentsquare session replay.
- **Social media** — Facebook, Instagram, Twitter/X, Pinterest, LinkedIn pixels &amp; SDKs.

---

Key Features
------------

[](#key-features)

- **80+ trusted hosts** pre-loaded across 7 CSP directives
- **Admin custom fields** — script-src, style-src, img-src, connect-src, font-src, frame-src
- **Per-store-view configuration** — different whitelists per website/store
- **One-click reset** — clears all custom entries from DB
- **Zero frontend impact** — no layout XML, no block rewrites, no JS
- **No compilation step** — policies assembled at runtime via plugin
- **Report-only by default** — violations logged, nothing blocked out of the box
- **Marketplace-friendly** — no `ObjectManager`, no preferences, no core rewrites

---

Architecture Overview
---------------------

[](#architecture-overview)

```
┌─────────────────────────────────────────────────────┐
│                  HTTP Response                        │
│         Content-Security-Policy-Report-Only           │
└──────────────────────┬──────────────────────────────┘
                       │
┌──────────────────────▼──────────────────────────────┐
│  PolicyList::getAllPolicies (Magento\Csp)            │
│  ┌────────────────────────────────────────────────┐  │
│  │  Plugin: afterGetAllPolicies                    │  │
│  │  ┌──────────────────┐ ┌──────────────┐ ┌─────┐ │  │
│  │  │ etc/csp.xml      │ │ csp_whitelist │ │ DB  │ │  │
│  │  │ (9 directives,   │ │ .xml          │ │custom│ │  │
│  │  │ report-only)     │ │ (80+ hosts,   │ │(6   │ │  │
│  │  │                  │ │  7 directives)│ │fields│ │  │
│  │  └──────────────────┘ └──────────────┘ └─────┘ │  │
│  └────────────────────────────────────────────────┘  │
└──────────────────────────────────────────────────────┘

```

### Layer 1 — Base CSP (`etc/csp.xml`)

[](#layer-1--base-csp-etccspxml)

Safe-report-only defaults for 9 directives. No hosts blocked — only logged. Provides immediate visibility into all policy violations without breaking storefront functionality.

Directives covered: `script-src`, `style-src`, `img-src`, `connect-src`, `font-src`, `media-src`, `object-src`, `base-uri`, `child-src`.

### Layer 2 — Pre-built Whitelist (`etc/csp_whitelist.xml`)

[](#layer-2--pre-built-whitelist-etccsp_whitelistxml)

Curated set of 80+ hosts across the most commonly needed directives. Sources verified for correctness — no wildcard entries, no redundant allowances.

CategoryExamplesDirectives CoveredGoogle Servicesanalytics, tagmanager, gstatic, googleapis, googleusercontentscript-src, style-src, img-src, connect-src, font-srcFacebook / Instagramconnect.facebook.net, &lt;[www.facebook.com](http://www.facebook.com)&gt;, graph.facebook.comscript-src, img-src, connect-srcTwitter / Xplatform.twitter.com, cdn.syndication.twimg.com, abs.twimg.comscript-src, img-srcPinterestassets.pinterest.com, s.pinimg.comscript-src, img-srcLinkedInplatform.linkedin.com, &lt;[www.linkedin.com](http://www.linkedin.com)&gt;script-src, img-src, connect-srcTikToksdk.tt.io, analytics.tiktok.comscript-src, img-srcCloudflarecdnjs.cloudflare.com, ajax.cloudflare.comscript-src, style-src, img-src, connect-srcjsDelivrcdn.jsdelivr.netscript-src, style-src, img-src, connect-src, font-srcTailwindcdn.tailwindcss.comscript-src, style-srccdnjscdnjs.cloudflare.comscript-src, style-src, img-src, connect-src, font-srcFontsourcecdn.fontsource.org, api.fontsource.orgfont-src, style-srcStripejs.stripe.com, checkout.stripe.com, api.stripe.comscript-src, img-src, connect-src, frame-srcPayPal&lt;[www.paypal.com](http://www.paypal.com)&gt;, api.paypal.com, &lt;[www.paypalobjects.com](http://www.paypalobjects.com)&gt;script-src, img-src, connect-src, frame-srcHotjarstatic.hotjar.com, script.hotjar.com, vars.hotjar.comscript-src, img-src, connect-srcKlaviyostatic.klaviyo.com, a.klaviyo.comscript-src, img-src, connect-srcContentsquaretag.contentsquare.com, unsecure.contentsquare.comscript-src, img-src, connect-srcTrustpilotwidget.trustpilot.com, api.trustpilot.comscript-src, img-src, connect-srcSentryjs.sentry-cdn.com, o\*.ingest.sentry.ioscript-src, connect-srcYouTube / Vimeo&lt;[www.youtube.com](http://www.youtube.com)&gt;, &lt;[www.youtube-nocookie.com](http://www.youtube-nocookie.com)&gt;, player.vimeo.comscript-src, img-src, connect-src, frame-src### Layer 3 — Admin Custom Whitelist

[](#layer-3--admin-custom-whitelist)

Six multi-line textarea fields under **Stores → Configuration → CSP Whitelisting**:

FieldConfig PathDirectiveScript Sources`Csp/policies/script_src`script-srcStyle Sources`Csp/policies/style_src`style-srcImage Sources`Csp/policies/img_src`img-srcConnect Sources`Csp/policies/connect_src`connect-srcFont Sources`Csp/policies/font_src`font-srcFrame Sources`Csp/policies/frame_src`frame-src---

System Requirements
-------------------

[](#system-requirements)

RequirementVersionMagento2.4.x (Open Source / Commerce)PHP8.1 — 8.4Magento Framework^103.0.0HK2 Core^1.0Magento\_CspBundled with MagentoBrowserCSP-supporting (all modern browsers)---

Installation
------------

[](#installation)

```
composer require hk2/csp
php bin/magento module:enable HK2_Csp
php bin/magento setup:upgrade
php bin/magento cache:clean config
```

See [docs/installation.md](docs/installation.md) for full instructions including verification steps.

---

Configuration
-------------

[](#configuration)

1. Navigate to **Stores → Configuration → CSP Whitelisting**.
2. Select the store view (website/store level).
3. Enter one host per line in the desired directive field(s).
4. Save config.
5. Flush the Magento cache (`php bin/magento cache:flush config`).

### Reset Custom Whitelist

[](#reset-custom-whitelist)

Click **Reset Custom CSP Whitelist** to clear all six custom fields from the database for the current scope. This does **not** affect the pre-built `csp_whitelist.xml` or the base `csp.xml`.

---

CSP in Magento 2
----------------

[](#csp-in-magento-2)

By default Magento ships with `Content-Security-Policy` headers in **Report-Only** mode. This module follows the same approach — violations are logged but never blocked.

- Production: switch to enforcement mode by editing `etc/csp.xml` (change `report-only` to `enforce`).
- Development: monitor violations in browser console and at the configured report-uri endpoint.
- Testing: use Chrome DevTools or Firefox CSP Inspector to validate directive coverage.

---

Privacy &amp; GDPR
------------------

[](#privacy--gdpr)

This module does not:

- Collect, transmit, or store personal data.
- Set cookies or access browser storage.
- Load external resources on its own (whitelist is security metadata, not executable code).

The CSP whitelist only allows — it does not fetch. Any data collection is performed solely by the third-party services whose hosts you whitelist, and is subject to their respective privacy policies.

---

Documentation
-------------

[](#documentation)

DocumentDescription[README.md](README.md)This file[docs/installation.md](docs/installation.md)Installation &amp; verification[docs/usage.md](docs/usage.md)Architecture, admin guide, best practices[docs/compatibility.md](docs/compatibility.md)Platform &amp; browser support[CHANGELOG.md](CHANGELOG.md)Version history[SECURITY.md](SECURITY.md)Vulnerability reporting---

Known Limitations
-----------------

[](#known-limitations)

- **No CSP reporting endpoint** — Magento expects you to configure your own report-uri (e.g. `report-uri.com`, a self-hosted collector, or Sentry). This module respects whatever reporting configuration you set in `etc/csp.xml`.
- **No `report-to` header support** — Magento's CSP framework uses the older `report-uri` directive.
- **Wildcard sources** — not included in the pre-built whitelist by design; use admin custom fields if you need them.
- **`strict-dynamic`** — not enabled; Magento's CSP framework does not natively support the `strict-dynamic` token.

---

Contributing
------------

[](#contributing)

Contributions are welcome. Please open an issue or pull request on the [GitHub repository](https://github.com/hktech/csp-whitelisting).

### Guidelines

[](#guidelines)

- Follow PSR-12 and Magento 2 coding standards.
- Add or update tests for any new whitelist entries.
- Verify hosts serve content over HTTPS.
- Avoid wildcard (`*`) entries in the pre-built whitelist.
- Keep `csp_whitelist.xml` entries alphabetically sorted by host.

---

License
-------

[](#license)

**OSL-3.0** — Open Software License 3.0

This license requires that any derivative work distributed as a whole must be made available under the same license terms. See [LICENSE](LICENSE) for full text.

**AFL-3.0** — Academic Free License 3.0 (alternate license for certain jurisdictions).

---

Disclaimer
----------

[](#disclaimer)

THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. The authors and Super Market Depot shall not be held liable for any damages arising from the use of this software. The pre-built CSP whitelist is provided as a convenience and may not cover all third-party hosts used by your store. Always audit CSP policies in a staging environment before deploying to production.

---

###  Health Score

50

—

FairBetter than 95% of packages

Maintenance92

Actively maintained with recent releases

Popularity15

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity72

Established project with proven stability

 Bus Factor1

Top contributor holds 85.2% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~207 days

Recently: every ~7 days

Total

8

Last Release

25d ago

Major Versions

1.0.3 → 2.0.02026-05-11

PHP version history (3 changes)1.0.0PHP ^7.3.0|^7.4.0|^8.0|^8.1.0

1.0.2PHP ^7.3.0|^7.4.0|^8.0|^8.1.0|^8.2.0

2.0.0PHP ^8.1 || ^8.2 || ^8.3 || ^8.4

### Community

Maintainers

![](https://www.gravatar.com/avatar/ffa270f1557c4c55c55fec1ad6f2544170980c8dd7f679c10582a3736f7d3a4c?d=identicon)[basantmandal](/maintainers/basantmandal)

---

Top Contributors

[![basantmandal](https://avatars.githubusercontent.com/u/69835601?v=4)](https://github.com/basantmandal "basantmandal (46 commits)")[![semantic-release-bot](https://avatars.githubusercontent.com/u/32174276?v=4)](https://github.com/semantic-release-bot "semantic-release-bot (8 commits)")

---

Tags

cspmagento2moduleextensioncspmagento2HK2HK2\_CspWhitelist URL CSPBasant Mandal

### Embed Badge

![Health badge](/badges/hk2-csp/health.svg)

```
[![Health](https://phpackages.com/badges/hk2-csp/health.svg)](https://phpackages.com/packages/hk2-csp)
```

###  Alternatives

[mollie/magento2

Mollie Payment Module for Magento 2

1131.9M16](/packages/mollie-magento2)[imi/magento2-friendly-captcha

Friendly Captcha integration for Magento2

19131.4k](/packages/imi-magento2-friendly-captcha)[myparcelnl/magento

A Magento 2 module that creates MyParcel labels

1860.2k](/packages/myparcelnl-magento)[opengento/module-category-import-export

This module add the capability to import and export the categories from the back-office.

1310.9k2](/packages/opengento-module-category-import-export)[angeo/module-llms-txt

Magento 2 module for AI Engine Optimization (AEO). Generates spec-compliant llms.txt and llms-full.txt per llmstxt.org standard, plus streaming JSONL for vector indexing. Multi-store, multi-website, CLI, cron, async admin UI, Page Builder-aware sanitization, customer-group pricing, atomic writes, ETag/Cache-Control, .md mirrors.

111.1k](/packages/angeo-module-llms-txt)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
