General plugins (Local): Content security policy
Content security policy 2017041801
Code prechecksHTML | XML
Why would you want this?
Security, security, security.
This plugin helps you to detect and eliminate security errors in your Moodle such as: - Mixed content (https/http) after you switched to HTTPS. - Same origin (or specified origin) policy for scripts and media data.
What is this?
This plugin enables Custom Security Policy headers across the Moodle website. Examples: - Report/enforce SSL origin for links, images etc. - Report/enforce same-origin for links, images etc.
How does it work?
Site admin configures CSP headers: Content-Security-Policy or Content-Security-Policy-Report-Only in the plugin settings. Header Content-Security-Policy-Report-Only is for recording CSP violations in Moodle and reviewing them later from the plugin's report page. Enabling of Content-Security-Policy blocks browser from showing site resources that violate defined rules.
Checkout or download the plugin source code into folder
local\csp of your Moodle installation.
git clone email@example.com:catalyst/moodle-local_csp.git local\csp
wget https://github.com/catalyst/moodle-local_csp/archive/master.zip mkdir -p local/csp unzip master.zip -d local/csp
Then go to your Moodle admin interface and complete installation and configuration. Example policy 'default-src https:;' will be reporting or enforcing the links to be HTTPS-only. Please note, the whole moodle website should be accessible via HTTPS for this to work. For more examples of other CSP directives please read here.
A complementary plugin which works by searching the moodle DB for bad links:
This plugin was developed by Catalyst IT Australia:
- Version build number
- Version release name
- Stable version
- MD5 Sum
- Supported software
- Moodle 2.9, Moodle 3.0, Moodle 3.1, Moodle 3.2
Version control information
- Version control system (VCS)
- VCS repository URL
- VCS tag
Default installation instructions for plugins of the type General plugins (Local)
- Make sure you have all the required versions.
- Download and unpack the module.
- Place the folder in the "local" subdirectory.
- Visit http://yoursite.com/admin to finish the installation.