General plugins (Local): Content security policy

Maintained by Picture of Catalyst IT Catalyst IT, Picture of Suan Kan Suan Kan, Picture of Brendan Heywood Brendan Heywood
This plugin allows an admin to create a Custom Security Policy (CSP) in both reporting mode and enforcing mode. A simple use case is to detect and cleanup issues with non secure content after a migration from http to https, through to advanced policies to mitigate from XSS attacks.
10 sites
2 fans

This plugin allows you to configure a Custom Security Policy (CSP) which is sent via HTTP headers. CSP headers instruct browsers to make certain actions. For example, if a website is available by HTTPS, then a CSP policy of 'default https:;' will tell the browser to prohibit loading of any sources (scripts, css etc.) via HTTP.

Learn more about CSP here:

There are many other CSP rules that browsers can understand and by using them administrators can flexibly tune their website if they wanted to get rid of mixed content or classes of cross-site scripting vulnerabilities. 

Any policy you wish to use can be safely tested first using 'Report only' mode, and this plugin has a built in CSP aggregator and reports all errors which are raised. You can have two different policies, one for testing and one for enforcing and gradually move each directive from 'report' to 'enforcing' after the various issues have been found and fixed.


Screenshot #0
Screenshot #1


Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
Please login to post comments