PHPackages magesteady/csp-backoffice - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. magesteady/csp-backoffice ActiveMagento2-module magesteady/csp-backoffice ========================= MageSteady CSP Backoffice module for Magento 2 allows you to manage and edit the Content Security Policy (CSP) directly from the admin panel 1.0.0(1y ago)38741GPL-3.0-onlyPHPPHP >=8.1 Since Jan 27Pushed 1y ago2 watchersCompare [ Source](https://github.com/MageSteady/csp-backoffice)[ Packagist](https://packagist.org/packages/magesteady/csp-backoffice)[ Docs](https://github.com/MageSteady/csp-backoffice)[ RSS](/packages/magesteady-csp-backoffice/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (1)Dependencies (1)Versions (2)Used By (0) MageSteady CSP Backoffice ========================= [](#magesteady-csp-backoffice) Description ----------- [](#description) **MageSteady CSP Backoffice module for Magento 2** allows you to manage and edit the Content Security Policy (CSP) directly from the admin panel, instead of modifying XML files. This is particularly useful for teams where non-developers manage tagging strategies through tools like Google Tag Manager or directly from the Design configuration in the Magento backoffice. This module also allows you to collect and view CSP violation reports from the Magento admin panel. You can also use this module to fix the "CSP header is too large" issue by cleaning up useless values from Magento core and other modules. If you have multiple themes installed, you will also be able to have different rules for each store view. [![Latest Stable Version](https://camo.githubusercontent.com/4610c937504daed92dbf72ffbf9a27c6d508d96741182fef401027f5cf2b8a04/68747470733a2f2f706f7365722e707567782e6f72672f6d6167657374656164792f6373702d6261636b6f66666963652f762f737461626c65)](https://packagist.org/packages/magesteady/csp-backoffice)[![Total Downloads](https://camo.githubusercontent.com/411870dd903bbe7daff267e340d0974fa2e8da0a9f214316b4dbf9936a8934a2/68747470733a2f2f706f7365722e707567782e6f72672f6d6167657374656164792f6373702d6261636b6f66666963652f646f776e6c6f616473)](https://packagist.org/packages/magesteady/csp-backoffice) Features -------- [](#features) - Edit your Content Security Policy rules in the Magento 2 admin panel - Collect and view CSP violation reports in the admin panel - Supports multi-website instances (each rule can be scoped to a specific store view) - Enable/disable CSP restrict mode from Stores > Configuration - Override default csp\_whitelist.xml entries (so you can remove the useless ones) - Import/export rules from/to CSV - Enable/disable the module to get back to the default Magento 2 behavior - Manage view/edit permission via an ACL rule - Manage your rules from a remote system using the API - Violation reports history cleaned periodically to keep only the last X entries (configurable) - Fully translated in French language (we are happy to merge your contributions if you want more languages supported) Table of Contents ----------------- [](#table-of-contents) - [Installation](#installation) - [Usage](#usage) - [Compatibility](#compatibility) - [Code Quality](#code-quality) - [Known Issues](#known-issues) - [Contributing](#contributing) - [License](#license) - [Disclaimer](#disclaimer) - [Changelog](#changelog) Installation ------------ [](#installation) 1. Require the module via Composer: `composer require magesteady/csp-backoffice` 2. Enable/install the module: `bin/magento setup:upgrade` Usage ----- [](#usage) 1. Navigate to the Magento admin panel. 2. Go to MageSteady > Content Security Policy > Rules. 3. Add, edit, or remove CSP policy rules as needed. You can also import from current XML rules. 4. Go to MageSteady > Content Security Policy > Configuration. 5. Enable rules management and/or violation reports. 6. Flush the cache. 7. *(Optional) Wait a few days and review your violation reports in MageSteady > Content Security Policy > Violation Reports.* 8. *(Optional) Once you're ok with your rules, you can enable CSP Restrict Mode in MageSteady > Content Security Policy > Configuration.* Compatibility ------------- [](#compatibility) - Magento Open Source/Adobe Commerce: 2.4.x and above Code Quality ------------ [](#code-quality) This module is built with respect for Magento 2’s coding guidelines, ensuring: - Stable, maintainable codebase. - Compatibility with future Magento updates. - Clean implementation following Magento's architectural principles. This module is also thoroughly optimized for performance and should not impact your stores' general speed. We never use any private variable, and we try to keep public methods as short as possible to allow you to change this module's behavior easily by using plugins (preferably) and preferences if needed. Known Issues ------------ [](#known-issues) ### CSP header is too large [](#csp-header-is-too-large) **Description:** Header size is limited to 8k by default in nginx and Apache. This can be an issue if you have too many rules in your Content Security Policy, as all the rules will be stacked one after the other in the same "Content-Security-Policy" header. **Workaround:** Try removing some unnecessary rules in your configuration. If you can't get them to fit in the 8k default limitation, you should raise the maximum header size in your nginx/Apache configuration. ### Can't login to backoffice after activating Restrict mode [](#cant-login-to-backoffice-after-activating-restrict-mode) **Description:** If you have enabled adminhtml reCAPTCHA and you didn't allow Google reCAPTCHA's script to be loaded, you are banned from the backoffice and can't log in. **Workaround:** Run this command `bin/magento config:set magesteady_csp_backoffice/general/enable_restrict_mode_adminhtml 0`, flush the cache, then add the reCAPTCHA script to your rules and enable Restrict mode again. ### CSP violation reports are not collected properly [](#csp-violation-reports-are-not-collected-properly) **Description:** I have enabled violation reports and they are not showing in the backoffice **Workaround:** CSP violation reports are queued in your visitors' browser and they are sent when the browser is idle. Please wait a few moments before it appears in your backoffice. You must also be aware that CSP violations are only reported to publicly accessible websites with a valid SSL certificate. Contributing ------------ [](#contributing) Contributions, issues, and feature requests are welcome! Feel free to open an issue or submit a pull request on GitHub at . License ------- [](#license) This module is licensed under the GNU General Public License v3.0. Refer to the LICENSE file for details. Disclaimer ---------- [](#disclaimer) Use this module at your own risk. While it provides convenience, improper configuration may lead to security vulnerabilities. We advise you to read this documentation for a better understanding of CSP security concerns: [https://cheatsheetseries.owasp.org/cheatsheets/Content\_Security\_Policy\_Cheat\_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html) **We strongly encourage you to forbid CSP rules edition by people that are unaware of the security consequences using the ACL role.** Please always keep your store up to date to prevent any unwanted modification of this module's database table. Always test changes thoroughly in a staging environment before applying them to production. Changelog --------- [](#changelog) ### v1.0.0 [](#v100) Release first version ### Health Score 32 — LowBetter than 72% of packages Maintenance42 Moderate activity, may be stable Popularity22 Limited adoption so far Community9 Small or concentrated contributor base Maturity46 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 476d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/7c6459d845d77f845f2c9a7649581a2c701470d10fc5c3d593038fa65db2a386?d=identicon)[MageSteady](/maintainers/MageSteady) --- Top Contributors [![Yonn-Trimoreau](https://avatars.githubusercontent.com/u/5746666?v=4)](https://github.com/Yonn-Trimoreau "Yonn-Trimoreau (1 commits)") --- Tags magentocspcontent-security-policymagesteady ### Embed Badge ![Health badge](/badges/magesteady-csp-backoffice/health.svg) ``` [![Health](https://phpackages.com/badges/magesteady-csp-backoffice/health.svg)](https://phpackages.com/packages/magesteady-csp-backoffice) ``` ### Alternatives [spatie/laravel-csp Add CSP headers to the responses of a Laravel app 8569.6M19](/packages/spatie-laravel-csp)[bepsvpt/secure-headers Add security related headers to HTTP response. The package includes Service Providers for easy Laravel integration. 5484.7M9](/packages/bepsvpt-secure-headers)[paragonie/csp-builder Easily add and update Content-Security-Policy headers for your project 5412.8M18](/packages/paragonie-csp-builder)[aidantwoods/secureheaders A PHP class aiming to make the use of browser security features more accessible. 433689.3k2](/packages/aidantwoods-secureheaders)[middlewares/csp Middleware to add the Content-Security-Policy header to the response 1720.6k](/packages/middlewares-csp)[bnomei/kirby3-security-headers Kirby Plugin for easier Security Headers setup 276.6k](/packages/bnomei-kirby3-security-headers) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)