Moodle plugins directory: Content security policy: Versions: 2019100100 | Moodle.org
Content security policy
Content security policy 2019100100
moodle-local_csp
Why would you want this?
Security, security, security.
This plugin helps you to detect and mitigate certain classes of security errors in your Moodle such as:
- Mixed content (https/http) after you switched to HTTPS.
- Same origin (or specified origin) policy for scripts and media data.
- Unintended iframes
What is this?
This plugin allows you to easily test and rollout Custom Security Policy headers across your moodle.
Examples: - Report/enforce SSL origin for links, images etc. - Report/enforce same-origin for links, images etc.
How does it work?
Site admin configures CSP headers: Content-Security-Policy
or Content-Security-Policy-Report-Only
in the plugin settings.
Header Content-Security-Policy-Report-Only is for recording CSP violations in Moodle and reviewing them later from the plugin's report page.
Enabling of Content-Security-Policy blocks browser from showing site resources that violate defined rules.
CSP support in browsers is quite good:
https://caniuse.com/#search=CSP
Installation
Checkout or download the plugin source code into folder local\csp
of your Moodle installation.
git clone git@github.com:catalyst/moodle-local_csp.git local\csp
or
wget https://github.com/catalyst/moodle-local_csp/archive/master.zip
mkdir -p local/csp
unzip master.zip -d local/csp
Then go to your Moodle admin interface and complete installation and configuration. Example policy 'default-src https:;' will be reporting or enforcing the links to be HTTPS-only. Please note, the whole moodle website should be accessible via HTTPS for this to work.
For more examples of other CSP directives please read here.
References
See also:
Convert http embedded content to https on https sites where available https://tracker.moodle.org/browse/MDL-46269
A complementary plugin which works by searching the moodle DB for bad links: https://github.com/moodlerooms/moodle-tool_httpsreplace
This plugin was developed by Catalyst IT Australia: https://www.catalyst-au.net/
Version information
- Version build number
- 2019100100
- Version release name
- 2019100100
- Maturity
- Stable version
- MD5 Sum
- fb9c4af3556815ae6e65b0fdd6ceb2c7
- Supported software
- Moodle 3.0, Moodle 3.1, Moodle 3.2, Moodle 3.3, Moodle 3.4, Moodle 3.5, Moodle 3.6, Moodle 3.7
- Latest release for Moodle 3.0
- Latest release for Moodle 3.1
- Latest release for Moodle 3.2
- Latest release for Moodle 3.3
- Latest release for Moodle 3.4
- Latest release for Moodle 3.5
- Latest release for Moodle 3.6
- Latest release for Moodle 3.7
Version control information
- Version control system (VCS)
- GIT
- VCS repository URL
Default installation instructions for plugins of the type General plugins (Local)
- Make sure you have all the required versions.
- Download and unpack the module.
- Place the folder in the "local" subdirectory.
- Visit http://yoursite.com/admin to finish the installation.