PHPackages limesoda-com/ls-security-headers - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. limesoda-com/ls-security-headers ActiveTypo3-cms-extension[Security](/categories/security) limesoda-com/ls-security-headers ================================ Configures security headers like content security policy v2.1.0(1y ago)43.1k↓37.1%GPL-2.0-or-laterPHPPHP >=8.2 <=8.3.99 Since Jan 4Pushed 11mo ago6 watchersCompare [ Source](https://github.com/LimeSoda/ls_security_headers)[ Packagist](https://packagist.org/packages/limesoda-com/ls-security-headers)[ Docs](https://www.limesoda.com)[ RSS](/packages/limesoda-com-ls-security-headers/feed)WikiDiscussions main Synced 2w ago READMEChangelog (9)Dependencies (1)Versions (13)Used By (0) [![TYPO3 13](https://camo.githubusercontent.com/2cf6570821614808899422f68a66a381a2de1dd0746ba9cdba6155def1f4f396/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5459504f332d31332d6f72616e67652e737667)](https://get.typo3.org/version/13) TYPO3 Extension `ls_security_headers` ===================================== [](#typo3-extension-ls_security_headers) This extension offers configurable security headers for the frontend. You can easily create and manage them in a database record of your root page in the TYPO3 backend. This comes in handy if for example resources are regularly added/changed, and you need to update the content security policy (CSP) accordingly. The extension also offers the generation of CSP nonces. Setup ----- [](#setup) 1. Install the extension by using composer 2. Import the provided site set in your site config or set it as dependency in the site set of your site package(s) 3. Create a "Security Headers" record on the root page and configure the desired headers 4. Validate your configuration with the scanners of [HTTP Observatory](https://developer.mozilla.org/en-US/observatory), [securityheaders.com](https://securityheaders.com/)and/or many others. ### Important Notes [](#important-notes) - **It's highly recommended to use this extension only if the TYPO3 core feature `security.frontend.enforceContentSecurityPolicy` is disabled.** - Security Headers that are defined in the `.htaccess` or in some other server configuration will not be overwritten. - If EXT:staticfilecache is used, you have to extend the [validHtaccessHeaders extension setting](https://github.com/lochmueller/staticfilecache/blob/master/ext_conf_template.txt#L14). - Security Headers for the TYPO3 Backend can be defined in `settings.php` or `additional.php` with the [BE setting "HTTP"](https://docs.typo3.org/m/typo3/reference-coreapi/13.4/en-us/Configuration/Typo3ConfVars/BE.html#confval-globals-typo3-conf-vars-be-http). Features -------- [](#features) ### Nonce support [](#nonce-support) This extension includes a [TypoScript helper function](Classes/UserFunctions/Csp.php) for generating CSP nonces. All the nonces generated by the function during the request will automatically be added to the Content-Security-Policy header at the end of the request. Basic usage: ``` ``` The policy argument defines the policy the nonce should be added to (style for style-src, script for script-src, ...). The length argument defines the length of the nonce in bytes. Furthermore, it's possible to get the nonce output as attribute with the flag `asAttribute = '1'`. A possible use case is the replacement feature of TypoScript: ``` page.headerData.200 = COA page.headerData.200 { 10 = TEXT 10.value ( console.log('Hello World'); ) 10.value { replacement { 1 { search = ###NONCE### replace.stdWrap.postUserFuncInt = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce replace.stdWrap.postUserFuncInt { length = 32 policy = script asAttribute = 1 } } } } } ``` Additionally, you can write your own library for the cObject-ViewHelper: ``` lib.nonceAttribute = USER_INT lib.nonceAttribute { userFunc = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce length = 32 policy = script asAttribute = 1 } ``` ### CSP Reporting [](#csp-reporting) #### Local Reporting [](#local-reporting) The extension provides local CSP reporting that can be enabled in the extension settings. The reports are stored in the database and can be accessed in the TYPO3 backend module "Security Headers". Additionally, a dashboard widget is available for a quick overview. #### External Reporting [](#external-reporting) The extension supports external reporting of Content Security Policy (CSP) violations. To configure this, open the "Content Security Policy (CSP)" tab in the security headers record and scroll to the "External reporting" fieldset at the bottom. There, you can enable reporting and define the endpoint name and URL to which CSP violation reports should be sent. If external reporting is enabled, local reporting is automatically disabled. Ressources ---------- [](#ressources) - [LIMESODA Website Security](https://www.limesoda.com/leistungen/beratung-consulting/website-security) - [securityheaders.com](https://securityheaders.com/) - [HTTP Observatory](https://developer.mozilla.org/en-US/observatory) ### Health Score 41 — FairBetter than 87% of packages Maintenance44 Moderate activity, may be stable Popularity25 Limited adoption so far Community11 Small or concentrated contributor base Maturity68 Established project with proven stability Bus Factor1 Top contributor holds 57.6% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~86 days Recently: every ~30 days Total 9 Last Release 572d ago Major Versions v1.3.1 → v2.0.02024-10-22 v1.3.2 → v2.1.02024-11-28 PHP version history (3 changes)v1.1.0PHP >=7.4 <=8.2.99 v1.3.1PHP >=7.4 <=8.3.99 v2.0.0PHP >=8.2 <=8.3.99 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/1510634?v=4)[LIMESODA](/maintainers/limesoda)[@LimeSoda](https://github.com/LimeSoda) --- Top Contributors [![rrohaczek](https://avatars.githubusercontent.com/u/8190586?v=4)](https://github.com/rrohaczek "rrohaczek (19 commits)")[![lspreitzer](https://avatars.githubusercontent.com/u/129153038?v=4)](https://github.com/lspreitzer "lspreitzer (14 commits)") --- Tags content-security-policysecuritysecurity-headerstypo3-extensionextensionTYPO3 CMSsecurity-headersLIMESODA ### Embed Badge ![Health badge](/badges/limesoda-com-ls-security-headers/health.svg) ``` [![Health](https://phpackages.com/badges/limesoda-com-ls-security-headers/health.svg)](https://phpackages.com/packages/limesoda-com-ls-security-headers) ``` ### Alternatives [web-vision/wv_deepltranslate DeepL Translate (CORE) - This extension provides option to translate content element, and TCA record texts to DeepL supported languages. 33296.7k](/packages/web-vision-wv-deepltranslate)[web-vision/deepltranslate-core DeepL Translate (CORE) - This extension provides option to translate content element, and TCA record texts to DeepL supported languages. 33122.1k6](/packages/web-vision-deepltranslate-core)[derhansen/form_crshield Challenge/response spambot protection for ext:form - Challenge/response spambot protection for TYPO3 ext:form - Adds a hidden input field containing a challenge string to forms. Client must execute included JavaScript to calculate the expected response. 20228.7k8](/packages/derhansen-form-crshield)[causal/fal-protect Protect everything within /fileadmin/ based on associated folder and file restrictions (visibility, user groups and dates of publication). 1274.6k](/packages/causal-fal-protect)[mfd/ai-filemetadata Automatically generates FAL metadata for files by means of public LLMs 1250.7k](/packages/mfd-ai-filemetadata) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)