PHPackages                             unocha/ocha\_security - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. unocha/ocha\_security

ActiveDrupal-module[Security](/categories/security)

unocha/ocha\_security
=====================

v1.0.1(4y ago)0254GPL-2.0-onlyPHP

Since Jun 1Pushed 4y ago3 watchersCompare

[ Source](https://github.com/UN-OCHA/ocha_security)[ Packagist](https://packagist.org/packages/unocha/ocha_security)[ RSS](/packages/unocha-ocha-security/feed)WikiDiscussions main Synced today

READMEChangelog (2)Dependencies (3)Versions (3)Used By (0)

Ocha Security
=============

[](#ocha-security)

This is primarily a helper for the seckit module. More security-related fixes that apply to all sites would be welcome.

CSP rules are a bit confusing. Add to or improve these notes if they make it more so.

Seckit module helper.
---------------------

[](#seckit-module-helper)

Prepares hashes, or a nonce for logged-in users, to allow CSP protection for scripts. Requires the seckit module, with [this patch](https://www.drupal.org/files/issues/2021-09-13/2844205-alter-csp-directives-10.patch). (Note, the patch might soon be replaced, check status on [the ticket](https://www.drupal.org/project/seckit/issues/2844205#comment-14455849)).

This is necessary to avoid rules allowing the use of 'eval' or 'unsafe-inline', for 'script-src' which undermine the point of using the seckit module.

Note that it is recommended to use 'unsafe-inline' if a nonce or a hash is included, as this will work with CSP level 1 browsers but will be ignored by CSP level 2 browsers. [Not the best reference](https://github.com/mozilla/http-observatory/issues/88)

For logged-in users, where the page is not cached, a **nonce** (Number used ONCE) must be generated for each request, but can be used for all of the scripts.

For anonymous users, where the page is cached, a **hash** must be created for each separate script. Inline scripts use a hash of the script itself, attached files use a hash of the filename. These can be re-used across requests.

This adds hashes or a nonce to script elements, assets and attachments, and the same to the CSP directives.

Notes
-----

[](#notes)

@todo Find a resource to explain what Drupal means by 'element', 'asset' and 'attachment'.

Adds nonce to/ creates hash for scripts as: Elements (via pre-render hook) `src/Element/OchaSecurityHtmlPreRender.php`Assets `src/Asset/OchaSecurityAssetResolver.php`Attachments `ocha_security_page_attachments_alter()`

Also ensures the sameSite=Lax header for cookies, though this is now default behavior in modern browsers `src/Session/OchaSecuritySessionConfiguration.php`

Hashes and nonces require extra work - they "are only intended for cases where removing inline scripts is not an option" ([source](https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/)). We might consider using only hashes and caching them.

['strict-dynamic'](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic) overrides any allowed domains in the seckit configuration, but only for browsers which implement CSP-v3. So a nonce or hash is necessary for all scripts.

###  Health Score

24

—

LowBetter than 31% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity11

Limited adoption so far

Community8

Small or concentrated contributor base

Maturity49

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

1492d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/346443feed98de86efcea04bbc5094dc2a4146181bca1e8936beb6ac46eed455?d=identicon)[unocha](/maintainers/unocha)

---

Top Contributors

[![lazysoundsystem](https://avatars.githubusercontent.com/u/67453?v=4)](https://github.com/lazysoundsystem "lazysoundsystem (3 commits)")

### Embed Badge

![Health badge](/badges/unocha-ocha-security/health.svg)

```
[![Health](https://phpackages.com/badges/unocha-ocha-security/health.svg)](https://phpackages.com/packages/unocha-ocha-security)
```

###  Alternatives

[helsingborg-stad/municipio

A bootstrap theme for creating municipality sites.

4028.5k10](/packages/helsingborg-stad-municipio)[october/rain

October Rain Library

1601.7M82](/packages/october-rain)[johnbillion/user-switching

Instant switching between user accounts in WordPress and WooCommerce.

20474.7k2](/packages/johnbillion-user-switching)[pressbooks/pressbooks

Pressbooks is an open source book publishing tool built on a WordPress multisite platform. Pressbooks outputs books in multiple formats, including PDF, EPUB, web, and a variety of XML flavours, using a theming/templating system, driven by CSS.

45444.2k1](/packages/pressbooks-pressbooks)[mediawiki/maps

Adds various mapping features to MediaWiki

84152.3k3](/packages/mediawiki-maps)[rainlab/user-plugin

User plugin for October CMS

11955.0k15](/packages/rainlab-user-plugin)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
