PHPackages                             nswdpc/silverstripe-csp - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. nswdpc/silverstripe-csp

ActiveSilverstripe-vendormodule[Security](/categories/security)

nswdpc/silverstripe-csp
=======================

SilverStripe Content Security Policy module

v1.0.1(1y ago)914.2k↓44.8%4[6 issues](https://github.com/nswdpc/silverstripe-csp/issues)[2 PRs](https://github.com/nswdpc/silverstripe-csp/pulls)1BSD-3-ClausePHPCI failing

Since Feb 27Pushed 11mo ago4 watchersCompare

[ Source](https://github.com/nswdpc/silverstripe-csp)[ Packagist](https://packagist.org/packages/nswdpc/silverstripe-csp)[ RSS](/packages/nswdpc-silverstripe-csp/feed)WikiDiscussions master Synced 2d ago

READMEChangelog (10)Dependencies (5)Versions (25)Used By (1)

Content Security Policy (CSP) module for Silverstripe websites
==============================================================

[](#content-security-policy-csp-module-for-silverstripe-websites)

> Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

Source:

This module provides the ability to:

- Create one or more CSP records within the administration area of your website and make one of those the base policy for use on the website
- Set a CSP record to be [report only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only)
- Collect CSP Violation reports internally via a controller or via a specific URL/service
- Add page specific CSP records, which work with or without the base policy
- Add a per-request nonce

Once a CSP is in place and working, any assets loads that do not meet policy requirements will be blocked from loading, with warnings similar to this in the browser dev console:

`Refused to load the script 'https://badactor.example.com/eval.js' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-example' https://cdnjs.cloudflare.com/".`

Versioning
----------

[](#versioning)

For Silverstripe 5.x, use version constraint ^1

For Silverstripe 4.x, use version constraint ^0.4.3

Installation
------------

[](#installation)

The only supported method of installing this module is via composer:

```
composer require nswdpc/silverstripe-csp

```

Instructions
------------

[](#instructions)

> ⚠️ An incorrectly implemented CSP can have negative effects for valid visitors to your website.

1. Read the [initial documentation](./docs/en/00_index.md)
2. Read the [good-to-know section](./docs/en/01_good_to_know.md)
3. Install the module on a development instance of your website and [configure it]((./docs/en/00_index.md#configuration))
4. Add at least one Policy record in the "CSP" administration section.
    - Set it to 'report only'
    - Mark it as the 'base policy'
    - Optionally, make it available on your draft site only
5. Set the policy to be delivered via a HTTP headers (you can use meta tags but this method limits the feature you can use).
6. Add some Directives
7. Mark the Policy 'Enabled', save it and
8. Watch for violation reports or look at your browser dev console

When you are pleased with the settings, check the "Use on published website" setting and save.

After UAT is complete, implement the same process on your production website. You should run the policy as report-only and monitor reports, initially.

Page specific policies
----------------------

[](#page-specific-policies)

By default Pages can define an extra Policy for delivery when requested with the following caveat:

> Adding additional policies can only further restrict the capabilities of the protected resource

[MDN provides some useful information on this process](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#Multiple_content_security_policies):

This means that you can't (currently) relax the base policy restrictions from within your page policy.

Using a nonce
-------------

[](#using-a-nonce)

See [using a nonce](./docs/en/10_using_a_nonce.md)

Good-to-know
------------

[](#good-to-know)

See [good-to-know](./docs/en/01_good_to_know.md)

Violation Reports
-----------------

[](#violation-reports)

See [reporting](./docs/en/05_reporturi_and_other_services.md)

Minimum CSP Level
-----------------

[](#minimum-csp-level)

Refer to the following for changes between levels:

- [Changes from Level 1 to 2](https://www.w3.org/TR/CSP2/#changes-from-level-1)
- [Changes from Level 2 to 3](https://www.w3.org/TR/CSP3/#changes-from-level-2)

Additional Help
---------------

[](#additional-help)

See [further reading](./docs/en/00_index.md#further-reading)

Browser Compatibility
---------------------

[](#browser-compatibility)

See [browser support](./docs/en/02_browser_support.md)

Maintainers
-----------

[](#maintainers)

- [dpcdigital@NSWDPC:~$](https://dpc.nsw.gov.au)

Bugtracker
----------

[](#bugtracker)

We welcome bug reports, pull requests and feature requests on the Github Issue tracker for this project.

Please review the [code of conduct](./code-of-conduct.md) prior to opening a new issue.

Security
--------

[](#security)

If you have found a security issue with this module, please email digital\[@\]dpc.nsw.gov.au in the first instance, detailing your findings.

Development and contribution
----------------------------

[](#development-and-contribution)

If you would like to make contributions to the module please ensure you raise a pull request and discuss with the module maintainers.

Please review the [code of conduct](./code-of-conduct.md) prior to completing a pull request.

###  Health Score

41

—

FairBetter than 87% of packages

Maintenance31

Infrequent updates — may be unmaintained

Popularity33

Limited adoption so far

Community17

Small or concentrated contributor base

Maturity70

Established project with proven stability

 Bus Factor1

Top contributor holds 88.5% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~146 days

Recently: every ~122 days

Total

17

Last Release

340d ago

Major Versions

v0.4.4 → v1.0.02024-03-28

v1.0.1 → v2.0.0-rc12025-06-17

### Community

Maintainers

![](https://www.gravatar.com/avatar/1caefd99092b4a43254e48c40347224f671032ec1ffc3a457e06a7e9ab6e7c02?d=identicon)[nswdpc](/maintainers/nswdpc)

---

Top Contributors

[![JamesDPC](https://avatars.githubusercontent.com/u/69664712?v=4)](https://github.com/JamesDPC "JamesDPC (92 commits)")[![tardinha](https://avatars.githubusercontent.com/u/457209?v=4)](https://github.com/tardinha "tardinha (9 commits)")[![pjayme](https://avatars.githubusercontent.com/u/27745093?v=4)](https://github.com/pjayme "pjayme (3 commits)")

---

Tags

content-security-policycspnelreport-tosilverstripecspcontent-security-policy

###  Code Quality

TestsPHPUnit

Code StylePHP CS Fixer

### Embed Badge

![Health badge](/badges/nswdpc-silverstripe-csp/health.svg)

```
[![Health](https://phpackages.com/badges/nswdpc-silverstripe-csp/health.svg)](https://phpackages.com/packages/nswdpc-silverstripe-csp)
```

###  Alternatives

[spatie/laravel-csp

Add CSP headers to the responses of a Laravel app

86611.1M25](/packages/spatie-laravel-csp)[aidantwoods/secureheaders

A PHP class aiming to make the use of browser security features more accessible.

434731.2k2](/packages/aidantwoods-secureheaders)[bringyourownideas/silverstripe-composer-security-checker

Provides information if your SilverStripe application uses dependencies with known vulnerabilities.

10103.9k2](/packages/bringyourownideas-silverstripe-composer-security-checker)[born05/craft-csp

Content Security Policy (or CSP) generator using nonces.

1110.4k](/packages/born05-craft-csp)[sunnysideup/ecommerce

Silverstripe E-commerce Application

247.3k84](/packages/sunnysideup-ecommerce)[exadium/silverstripe-invisible-spam-protection

Very simple anti spam protection based on principle that automated spammers enter bogus information in all form fields. Field is added to form that is hidden using CSS hiding it from human users. Form is only allowed to be submitted if field is empty. Includes an EditableInvisibleSpamField to integrate with the UserForms module.

112.1k](/packages/exadium-silverstripe-invisible-spam-protection)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
