Content security policy

Local plugins ::: local_csp
Maintained by Catalyst IT, Brendan Heywood
This plugin allows an admin to create a Custom Security Policy (CSP) in both reporting mode and enforcing mode. A simple use case is to detect and cleanup issues with non secure content after a migration from http to https, through to advanced policies to mitigate from XSS attacks.

Content security policy 2016120701

Moodle 2.7, 2.8, 2.9, 3.0, 3.1, 3.2
Released: Tuesday, 21 February 2017, 2:58 PM
Download

Code prechecks

phplint phpcs1 | 6 js css phpdoc18 | 0 savepoint thirdparty grunt shifter mustache
HTML | XML

Travis integration: Build Status

moodle-local_csp

Why would you want this?

Security, security, security.

This plugin helps you to detect and eliminate security errors in your Moodle such as: - Mixed content (https/http) after you switched to HTTPS. - Same origin (or specified origin) policy for scripts and media data.

What is this?

This plugin enables Custom Security Policy headers across the Moodle website. Examples: - Report/enforce SSL origin for links, images etc. - Report/enforce same-origin for links, images etc.

How does it work?

Site admin configures CSP headers: Content-Security-Policy or Content-Security-Policy-Report-Only in the plugin settings. Header Content-Security-Policy-Report-Only is for recording CSP violations in Moodle and reviewing them later from the plugin's report page. Enabling of Content-Security-Policy blocks browser from showing site resources that violate defined rules.

Installation

Checkout or download the plugin source code into folder local\csp of your Moodle installation.

git clone git@github.com:catalyst/moodle-local_csp.git local\csp

or

wget https://github.com/catalyst/moodle-local_csp/archive/master.zip
mkdir -p local/csp
unzip master.zip -d local/csp

Then go to your Moodle admin interface and complete installation and configuration. Example policy 'default-src https:;' will be reporting or enforcing the links to be HTTPS-only. Please note, the whole moodle website should be accessible via HTTPS for this to work. For more examples of other CSP directives please read here.

References

Relevant issue in Moodle Tracker: (https://tracker.moodle.org/browse/MDL-46269)

Complementary plugin: https://github.com/moodlerooms/moodle-tool_httpsreplace

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT

Version information

Version build number
2016120701
Version release name
2016120701
Maturity
Stable version
MD5 Sum
d4756a859b29f234a3fdd43f04ba0be4
Supported software
Moodle 2.7, Moodle 2.8, Moodle 2.9, Moodle 3.0, Moodle 3.1, Moodle 3.2

Version control information

Version control system (VCS)
GIT
VCS repository URL
VCS tag
2016120701

Default installation instructions for plugins of the type Local plugins

  1. Make sure you have all the required versions.
  2. Download and unpack the module.
  3. Place the folder in the "local" subdirectory.
  4. Visit http://yoursite.com/admin to finish the installation.