PHPackages nieuwenhuizen/content-security-policy - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. nieuwenhuizen/content-security-policy ActiveNeos-package[Utility & Helpers](/categories/utility) nieuwenhuizen/content-security-policy ===================================== Configure your content-security-policy header easily with yaml 1.0.0(7y ago)22.4k1[1 issues](https://github.com/LarsNieuwenhuizen/Nieuwenhuizen.ContentSecurityPolicy/issues)MITPHPPHP >=7.1.1 Since Aug 8Pushed 6y ago2 watchersCompare [ Source](https://github.com/LarsNieuwenhuizen/Nieuwenhuizen.ContentSecurityPolicy)[ Packagist](https://packagist.org/packages/nieuwenhuizen/content-security-policy)[ RSS](/packages/nieuwenhuizen-content-security-policy/feed)WikiDiscussions master Synced 3w ago READMEChangelogDependencies (2)Versions (4)Used By (0) [![Maintainability](https://camo.githubusercontent.com/d44a69e3b5b48fbffc2e77e85f7a75fb07b58ec5a671065e5d9038cc6b1c4414/68747470733a2f2f6170692e636f6465636c696d6174652e636f6d2f76312f6261646765732f31646264396664366136663936613834353635382f6d61696e7461696e6162696c697479)](https://codeclimate.com/github/LarsNieuwenhuizen/Nieuwenhuizen.ContentSecurityPolicy/maintainability)[![StyleCI](https://camo.githubusercontent.com/39f895fb271241659afaa4830c19b0ce7b15b067809f67de787474c9e7986c74/68747470733a2f2f6769746875622e7374796c6563692e696f2f7265706f732f3134333330353135372f736869656c643f6272616e63683d6d6173746572)](https://github.styleci.io/repos/143305157) Nieuwenhuizen.ContentSecurityPolicy =================================== [](#nieuwenhuizencontentsecuritypolicy) Flow/Neos package to set your site's content security policy header easily with yaml - [Usage](#usage) - [Custom directives](#custom) - [Disable or report](#disable-report) - [Nonce](#nonce) - [Backend](#backend) Usage -------------------------------------- [](#usage) Import the package using composer: ``` composer require nieuwenhuizen/content-security-policy ``` The package is automatically active once imported. By default the response header `Content-Security-Policy` will now be included. It will use the default configuration which looks like this: ``` Nieuwenhuizen: ContentSecurityPolicy: enabled: true report-only: false content-security-policy: default: base-uri: - 'self' connect-src: - 'self' default-src: - 'self' form-action: - 'self' img-src: - 'self' media-src: - 'self' frame-src: - 'self' object-src: - 'self' script-src: - 'self' style-src: - 'self' font-src: - 'self' custom: [] ``` Now only resources from the same origin are allowed for the most common directives. It is enabled by default and the report-only mode is disabled. Custom directives and values -------------------------------------------------------------- [](#custom-directives-and-values) The default configuration will probably not suit your needs so you can add your own configuration by adding the array custom like this in your own yaml configuration files: ``` Nieuwenhuizen: ContentSecurityPolicy: content-security-policy: custom: frame-src: - 'https://www.youtube.com' - 'https://staticxx.facebook.com' ``` If you fully want to override the entire default config then just override the default key in yaml. Disable or report only ---------------------------------------------------------------- [](#disable-or-report-only) To disable the header simply set `enabled` to false. If you want to add it as a report only header set `report-only` to true. That way you have the option to see the possible errors without breaking functionality. Nonce -------------------------------------- [](#nonce) You might want to use a nonce to allow inline scripts and styles to be still secure. To do this simply add `{nonce}` as an option in a directive. Like this: ``` Nieuwenhuizen: ContentSecurityPolicy: content-security-policy: custom: script-src: - '{nonce}' ``` Now the header will include a `nonce-automatedgeneratedrandomstring` in the script-src directive. So inline scripts without the corresponding nonce will be blocked. To add the nonce string in your templates use the supplied ViewHelper like this: ``` {namespace csp=Nieuwenhuizen\ContentSecurityPolicy\ViewHelpers} alert('Hello world'); ``` Backend ------------------------------------------ [](#backend) Do to the current nature of the Neos backend being rendered a bit different then the frontend a separate policy is added for the backend. I currently have found no suitable way the add the nonce in the inline scripts in the Neos UI package. So the CSP for the backend looks like this: ``` backend: base-uri: - 'self' connect-src: - 'self' default-src: - 'self' form-action: - 'self' img-src: - 'self' media-src: - 'self' frame-src: - 'self' object-src: - 'self' script-src: - 'self' - 'unsafe-inline' style-src: - 'self' - 'unsafe-inline' font-src: - 'self' custom-backend: [] ``` Unsafe inline scripts and styles are allowed in the backend because otherwise the backend won't work. I will try to find a nice solution for this as soon as possible. Again you can add your own policies in the custom-backend array the same way as the custom array for the frontend. ### Health Score 28 — LowBetter than 52% of packages Maintenance10 Infrequent updates — may be unmaintained Popularity22 Limited adoption so far Community9 Small or concentrated contributor base Maturity60 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 3 Last Release 2879d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/97544bd744bf40a6da900dca3f865c9a4c819e4e115eafcea88fa674157d8651?d=identicon)[lars.nieuwenhuizen](/maintainers/lars.nieuwenhuizen) --- Top Contributors [![LarsNieuwenhuizen](https://avatars.githubusercontent.com/u/479364?v=4)](https://github.com/LarsNieuwenhuizen "LarsNieuwenhuizen (1 commits)") ### Embed Badge ![Health badge](/badges/nieuwenhuizen-content-security-policy/health.svg) ``` [![Health](https://phpackages.com/badges/nieuwenhuizen-content-security-policy/health.svg)](https://phpackages.com/packages/nieuwenhuizen-content-security-policy) ``` ### Alternatives [neos/neos An open source Content Application Platform based on Flow. A set of core Content Management features is resting within a larger context that allows you to build a perfectly customized experience for your users. 1131.0M736](/packages/neos-neos)[neos/fusion-form Fusion Form 19755.7k40](/packages/neos-fusion-form)[neos/eel The Embedded Expression Language (Eel) is a building block for creating Domain Specific Languages 122.1M32](/packages/neos-eel)[avency/neos-vardump Neos VarDump Package 147.1k](/packages/avency-neos-vardump) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)