PHPackages offline/oc-csp-plugin - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. offline/oc-csp-plugin ActiveOctober-plugin[Utility & Helpers](/categories/utility) offline/oc-csp-plugin ===================== Content Security Policy Manager for October CMS v1.0.12(3y ago)45.8k↓33.3%3MITPHPPHP >=7.1 Since May 20Pushed 3y ago3 watchersCompare [ Source](https://github.com/OFFLINE-GmbH/oc-csp-plugin)[ Packagist](https://packagist.org/packages/offline/oc-csp-plugin)[ RSS](/packages/offline-oc-csp-plugin/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (1)Versions (10)Used By (0) oc-csp-plugin ============= [](#oc-csp-plugin) This plugin allows you to manage the [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)of your website via October's backend. You should know what a CSP is and how it works to use this plugin. You can [read more about this topic on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy). Features -------- [](#features) The `OFFLINE.CSP` plugin provides the following features: - The Content-Security-Policy can be configured in the backend - Preview your CSP before saving it - Policy violations are automatically logged and can be viewed in the backend - A per-request [`nonce`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script) is generated and can be used on demand - The `nonce` can optionally be injected into all ``, `` and `` tags automatically - Your CSP is patched automatically so it does not break the backend functionality (`unsafe-eval` and `unsafe-inline` are required) Getting started --------------- [](#getting-started) Install the plugin and visit the CSP page in the backend settings. Configure the CSP according to your needs. By default, a strict policy is set. We suggest you make your page work with this preset for optimal security. We suggest that you start in `Report only` mode. This will generate console messages and a log entry for each validation of the CSP. You can visit the log via the backend settings. You will find a log entry for every violation generated by your site. Tune your CSP until no more violations are logged. Now you are ready to disable the `Report only` mode and actually block violating requests. Adding the CSP as a meta tag ---------------------------- [](#adding-the-csp-as-a-meta-tag) If you don't want to add the CSP header to every response, you can opt-in for certain pages by adding this meta tag: ``` ``` Make sure to disable the global response header in the backend settings first. Also note, that the reporting of violations is not supported using the meta tag method (they are logged to your browser console but not to the database). Test your CSP ------------- [](#test-your-csp) You can test the strength of your CSP using [Google's CSP validator](https://csp-evaluator.withgoogle.com/)or the [Mozilla Observatory](https://observatory.mozilla.org/). Using the nonce on demand ------------------------- [](#using-the-nonce-on-demand) You can access the `nonce` for the current request using the `csp_nonce()` helper function: ``` ``` You can enable or disable the automatic injection of the nonce via the backend settings. Modifying the CSP dynamically ----------------------------- [](#modifying-the-csp-dynamically) Sometimes, you need to change your CSP configuration for a single page only. You can listen for the `offline.csp.extend`event and modify the CSP settings to your needs. ``` // Add this to your Plugin.php's boot method. \Event::listen('offline.csp.extend', function (&$settings, $controller) { // Check for a certain page. You could also use ->fileName here. if (starts_with($controller->getPage()->url, '/needs-unsafe-eval')) { // Add the unsafe-eval option to the script_src configuration. $settings['script_src'][] = 'unsafe-eval'; } }); ``` When things break ----------------- [](#when-things-break) A misconfigured CSP can break your site. Make sure to work in `Report only` mode until you have fine-tuned your site to your CSP. If for any reason you are unable to access your site after you enabled the CSP, you can run the following console command to disable the CSP header injection completely: ``` php artisan csp:disable ``` Integration with October's Turbo Router --------------------------------------- [](#integration-with-octobers-turbo-router) If you are using October's Turbo Router together with a nonce, your assets will be included on every Turbo requests since Turbo thinks it is a new asset because of the new nonce attribute. A possible solution to this problem is to send a `X-Turbo-Nonce` header with every request. If this header is present, the CSP plugin will re-cycle the nonce and return new content with the old nonce. Please note that this does reduce the security of the nonce feature since a nonce becomes long-lived over multiple requests. ### Example implementation [](#example-implementation) Add a `csp-nonce` meta tag to your head section: ``` ``` Listen for the `ajax:request-start` event and add the `X-Turbo-Nonce` header to every request: ``` window.addEventListener('ajax:request-start', (event: CustomEvent) => { const request = event.detail.xhr // Ignore everything not in OPENED state. if (request.readyState !== 1) { return } const nonce = document.querySelector('meta[name=\'csp-nonce\']') event.detail.xhr.setRequestHeader('X-Turbo-Nonce', nonce.content) }); ``` ### Health Score 32 — LowBetter than 71% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity28 Limited adoption so far Community14 Small or concentrated contributor base Maturity56 Maturing project, gaining track record Bus Factor1 Top contributor holds 87.5% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~103 days Total 9 Last Release 1352d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/8600029?v=4)[Tobias Kündig](/maintainers/tobias-kuendig)[@tobias-kuendig](https://github.com/tobias-kuendig) --- Top Contributors [![tobias-kuendig](https://avatars.githubusercontent.com/u/8600029?v=4)](https://github.com/tobias-kuendig "tobias-kuendig (28 commits)")[![RickAcb](https://avatars.githubusercontent.com/u/8141903?v=4)](https://github.com/RickAcb "RickAcb (3 commits)")[![daftspunk](https://avatars.githubusercontent.com/u/1392869?v=4)](https://github.com/daftspunk "daftspunk (1 commits)") --- Tags content-security-policycspoctobercmsoctobercms-pluginplugincmscspcontent-security-policyoctober ### Embed Badge ![Health badge](/badges/offline-oc-csp-plugin/health.svg) ``` [![Health](https://phpackages.com/badges/offline-oc-csp-plugin/health.svg)](https://phpackages.com/packages/offline-oc-csp-plugin) ``` ### Alternatives [spicyweb/craft-quick-field Create Craft CMS fields on the fly while designing field layouts 10432.9k](/packages/spicyweb-craft-quick-field)[martin/forms-plugin Create easy (and almost magic) AJAX forms 601.3k](/packages/martin-forms-plugin)[winter/wn-sitemap-plugin Sitemap plugin for Winter CMS 1042.6k1](/packages/winter-wn-sitemap-plugin)[getkirby/geo Kirby Geo 223.5k](/packages/getkirby-geo) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)