Kirby Plugin for easier Security Headers setup
MIT License
Kirby Plugin for easier Security Headers setup.
🔐 Why should you use this plugin? Because security matters. Protecting your own or your clients websites and their customers data is important.
M | O | N | E | Y |
---|---|---|---|---|
Github sponsor | Patreon | Buy Me a Coffee | Paypal dontation | Hire me |
site/plugins/kirby3-security-headers
orgit submodule add https://github.com/bnomei/kirby3-security-headers.git site/plugins/kirby3-security-headers
orcomposer require bnomei/kirby3-security-headers
A route:before
-hook takes care of setting the headers automatically unless one of the following conditions applies:
true
enabled
is set to false
The following headers will be applied by default. You can override them in the config file.
/site/config/config.php
<?php
return [
'bnomei.securityheaders.headers' => [
"X-Powered-By" => "", // unset
"X-Frame-Options" => "SAMEORIGIN",
"X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff",
"strict-transport-security" => "max-age=31536000; includeSubdomains",
"Referrer-Policy" => "no-referrer-when-downgrade",
"Permissions-Policy" => 'interest-cohort=()', // flock-off,
// ... FEATURE POLICIES
// other options...
];
The Loader is used to initally create the CSPBuilder object with a given set of data. You skip that, forward a file to load, provide an array or use the default loader file. Using a custom file is recommended when for example adding additional font-src for google web fonts.
/site/config/config.php
<?php
return [
'bnomei.securityheaders.loader' => function () {
// https://github.com/paragonie/csp-builder#example
// null if you do NOT want to use default and/or just the setter
/*
return null;
*/
// return path of file (json or yaml)
// or an array of options for the cspbuilder
/*
return [...];
return kirby()->roots()->site() . '/your-csp.json';
return kirby()->roots()->site() . '/your-csp.yml';
*/
// otherwise forward the default file from this plugin
return __DIR__ . '/loader.json';
},
// other options...
];
The Setter is applied after the Loader. Use it to add dynamic stuff like hashes and nonces.
/site/config/config.php
<?php
return [
'bnomei.securityheaders.setter' => function (\Bnomei\SecurityHeaders $instance) {
// https://github.com/paragonie/csp-builder#build-a-content-security-policy-programmatically
/** @var ParagonIE\CSPBuilder\CSPBuilder $csp */
/*
$csp = $instance->csp();
$nonce = $instance->setNonce('my-inline-script');
$csp->nonce('script-src', $nonce);
*/
// in your template retrieve it again with
/*
$nonce = $page->nonce('my-inline-script');
=> `THIS-IS-THE-NONCE`
$attr = $page->nonceAttr('my-inline-script');
=> `nonce="THIS-IS-THE-NONCE"`
*/
},
// other options...
];
TIP: nonces are set in the
setter
and later retrieved using$page->nonce(...)
or$page->nonceAttr(...)
.
This plugin automatically registers Kirbys nonce for the panel. For convenience it also provides you with a single frontend nonce to use as attribute in <link>
, <style>
and <script>
elements. You can retrieve the nonce with site()->nonce()
and the full attribute with site()->nonceAttr()
.
<?php ?>
<script nonce="<?= site()->nonce() ?>">
// ...
</script>
<style <?= site()->nonceAttr() ?>>
</style>
TIP: The srcset plugin uses that frontend nonce as well.
bnomei.securityheaders. | Default | Description |
---|---|---|
enabled | true or false or 'force' |
will set headers |
seed | callback |
returns a seed for frontend nonce |
headers | array |
of sensible default values. modify as needed. |
loader | callback |
returning filepath or array |
setter | callback |
instance which allows customizing the CSPBuilder |
This plugin is provided "as is" with no guarantee. Use it at your own risk and always test it yourself before using it in a production environment. If you find any issues, please create a new issue.
It is discouraged to use this plugin in any project that promotes racism, sexism, homophobia, animal abuse, violence or any other form of hate speech.