General plugins (Local): Content security policy
Content security policy 2019100100
Code prechecksHTML | XML
Why would you want this?
Security, security, security.
This plugin helps you to detect and mitigate certain classes of security errors in your Moodle such as:
- Mixed content (https/http) after you switched to HTTPS.
- Same origin (or specified origin) policy for scripts and media data.
- Unintended iframes
What is this?
This plugin allows you to easily test and rollout Custom Security Policy headers across your moodle.
Examples: - Report/enforce SSL origin for links, images etc. - Report/enforce same-origin for links, images etc.
How does it work?
Site admin configures CSP headers:
Content-Security-Policy-Report-Only in the plugin settings.
Header Content-Security-Policy-Report-Only is for recording CSP violations in Moodle and reviewing them later from the plugin's report page.
Enabling of Content-Security-Policy blocks browser from showing site resources that violate defined rules.
CSP support in browsers is quite good:
Checkout or download the plugin source code into folder
local\csp of your Moodle installation.
git clone email@example.com:catalyst/moodle-local_csp.git local\csp
wget https://github.com/catalyst/moodle-local_csp/archive/master.zip mkdir -p local/csp unzip master.zip -d local/csp
Then go to your Moodle admin interface and complete installation and configuration. Example policy 'default-src https:;' will be reporting or enforcing the links to be HTTPS-only. Please note, the whole moodle website should be accessible via HTTPS for this to work.
For more examples of other CSP directives please read here.
Convert http embedded content to https on https sites where available https://tracker.moodle.org/browse/MDL-46269
A complementary plugin which works by searching the moodle DB for bad links: https://github.com/moodlerooms/moodle-tool_httpsreplace
This plugin was developed by Catalyst IT Australia: https://www.catalyst-au.net/
- Version build number
- Version release name
- Stable version
- MD5 Sum
- Supported software
- Moodle 3.0, Moodle 3.1, Moodle 3.2, Moodle 3.3, Moodle 3.4, Moodle 3.5, Moodle 3.6, Moodle 3.7
- This is the latest release for Moodle 3.0
- This is the latest release for Moodle 3.1
- This is the latest release for Moodle 3.2
- This is the latest release for Moodle 3.3
- This is the latest release for Moodle 3.4
- This is the latest release for Moodle 3.5
- This is the latest release for Moodle 3.6
- This is the latest release for Moodle 3.7
Version control information
- Version control system (VCS)
- VCS repository URL
Default installation instructions for plugins of the type General plugins (Local)
- Make sure you have all the required versions.
- Download and unpack the module.
- Place the folder in the "local" subdirectory.
- Visit http://yoursite.com/admin to finish the installation.