# baldwin/magento2-module-csp-shim

> Magento 2 module which replaces the default Magento CSP module and effectively disables its functionality

`composer require baldwin/magento2-module-csp-shim`

Canonical URL: https://packagento.com/baldwin/magento2-module-csp-shim

## At a glance

- **Vendor**: baldwin (https://packagento.com/baldwin.md)
- **Latest version**: 1.0.12 — released 2026-05-12
- **Pricing**: Free
- **Package type**: Magento 2 module
- **Status**: active, accepting new buyers

## Installation

Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them.

1. **Sign in or create an account** at https://packagento.com/customer/account/.

2. **Add the package to your account.** Open https://packagento.com/baldwin/magento2-module-csp-shim and complete the free checkout. A licence is minted automatically.

3. **Create or pick a project, then activate the licence on it.**
   - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/.
   - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project.

4. **Add the project credentials to your Magento codebase.**

   Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`:

   ```json
   {
     "http-basic": {
       "packagento.com": {
         "username": "ppk_live_...",
         "password": "psk_live_..."
       }
     }
   }
   ```

   Add the Packagento Composer repository to `composer.json`:

   ```json
   {
     "repositories": [
       { "type": "composer", "url": "https://packagento.com" }
     ]
   }
   ```

5. **Install and apply.**

   ```bash
   composer require baldwin/magento2-module-csp-shim:*
   bin/magento setup:upgrade
   bin/magento setup:di:compile
   bin/magento cache:flush
   ```

## What it does

Magento 2 module which replaces the default Magento CSP module and effectively disables its functionality

## README

### Purpose

This module exists for people who don't want to deal with the CSP (Content-Security-Policy) module which ships with Magento.

Up until Magento 2.4.7, it was simple, you could just remove the module via composer's `replace` syntax.
But in Magento 2.4.7, this module is more tightly integrated with certain modules (like the AdminAnalytics, Checkout and Paypal modules), which - when you try to remove the CSP module using composer's `replace` syntax - would cause `bin/magento setup:di:compile` to fail.

This module provides a solution for this case, by pretending to be the Magento CSP module for certain classes that some other modules require. The classes introduced by this module use the Magento namespace because there doesn't seem to be another way of doing this but the classes are actually empty and only contain empty functions just so nothing crashes when other modules call them.

This module comes bundled with the composer `replace` line to remove the Magento CSP module, so you don't need to do this yourself anymore.

**Update 12 June 2024**: Magento devs decided to backport the CSP changes to the following Magento security releases, so we now also support these versions in the shim:

- 2.4.4-p9
- 2.4.5-p8
- 2.4.6-p6

### Alternatives

This module might not be the best solution out there (3rd party modules might try to use classes which we don't provide in this module), so here are some alterntives we can also recommend that don't remove the CSP module but disable its output. Pick whatever one you like best:

- [https://github.com/yireo/Yireo_DisableCsp](https://github.com/yireo/Yireo_DisableCsp) - it uses preferences to disable the CSP output
- [https://github.com/weiweiouyang/magento2-module-disable-csp](https://github.com/weiweiouyang/magento2-module-disable-csp) - it disables some event observers
- [https://github.com/outeredge/magento-disable-csp](https://github.com/outeredge/magento-disable-csp) - it uses plugins to disable the CSP output
- ...

### Watch out

- **Do not install this module when you care about PCI DSS compliance!**
- The module is currently declared compatible with specific versions of Magento only, it's hard to predict what will happen in the future, so we'll try to open up compatibility with more future Magento versions when they get released.

### Compatibility

- This module should work with Magento 2.4.4-p9, 2.4.5-p8, 2.4.6-p6, 2.4.7 and 2.4.7-p1
- The module should be compatible with PHP 7.4, 8.1, 8.2 and 8.3

### Installation

You can use composer to install this module:

```sh
composer require baldwin/magento2-module-csp-shim
```

After which you can then activate it in Magento using:

```sh
bin/magento setup:upgrade
```

## Recent Versions

| Version | Released |
|---|---|
| 1.0.12 | 2026-05-12 |
| 1.0.11 | 2026-03-10 |
| 1.0.10 | 2025-10-14 |
| 1.0.9 | 2025-08-13 |
| 1.0.8 | 2025-08-13 |
| 1.0.7 | 2025-06-10 |
| 1.0.6 | 2025-04-08 |
| 1.0.5 | 2025-02-11 |
| 1.0.4 | 2024-10-08 |
| 1.0.3 | 2024-06-20 |

Showing 10 of 13 versions. Full release history on https://packagento.com/baldwin/magento2-module-csp-shim.

## Dependencies

### Require

| Package | Constraint |
|---|---|
| magento/framework | 103.0.4-p9 \|\| 103.0.4-p11 \|\| 103.0.4-p12 \|\| 103.0.4-p13 \|\| 103.0.4-p14 \|\| 103.0.4-p15 \|\| 103.0.5-p8 \|\| 103.0.5-p10 \|\| 103.0.5-p11 \|\| 103.0.5-p12 \|\| 103.0.5-p13 \|\| 103.0.5-p14 \|\| 103.0.6-p6 \|\| 103.0.6-p8 \|\| 103.0.6-p9 \|\| 103.0.6-p10 \|\| 103.0.6-p11 \|\| 103.0.6-p12 \|\| 103.0.6-p13 \|\| 103.0.6-p14 \|\| 103.0.6-p15 \|\| 103.0.7 \|\| 103.0.7-p1 \|\| 103.0.7-p3 \|\| 103.0.7-p4 \|\| 103.0.7-p5 \|\| 103.0.7-p6 \|\| 103.0.7-p7 \|\| 103.0.7-p8 \|\| 103.0.7-p9 \|\| 103.0.7-p10 |
| php | ~7.4.0 \|\| ~8.1.0 \|\| ~8.2.0 \|\| ~8.3.0 |

### Require (dev)

| Package | Constraint |
|---|---|
| bamarni/composer-bin-plugin | ^1.8 |
| ergebnis/composer-normalize | ^2.42 |

### Replace

| Package | Constraint |
|---|---|
| magento/module-csp | 100.4.3-p9 \|\| 100.4.3-p13 \|\| 100.4.4-p8 \|\| 100.4.4-p12 \|\| 100.4.5-p6 \|\| 100.4.5-p10 \|\| 100.4.5-p13 \|\| 100.4.6 \|\| 100.4.6-p5 \|\| 100.4.6-p8 |

## Quality

Latest release (1.0.12) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers.


### Compatibility

Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Pass | Pass | – | – |
| 2.4.8 | – | 1 | not tested | – |
| 2.4.9 | – | – | not tested | not tested |


### Code Quality

Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible.

#### Static Analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Warning | 2 | 2 warnings (ruleset: Magento2) |
| PHPMD | Warning | 12 | 12 rule violations (UnusedFormalParameter:12) |
| Cpd | Pass | 0 |  |
| Composer validate | Pass | 0 |  |

#### PHPStan

Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | 11 | 11 | – | – |
| 2.4.8 | – | 11 | N/A | – |
| 2.4.9 | – | – | N/A | N/A |


### Tests

Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately.

#### Unit Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |

#### Integration Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |


### Security

Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| Composer audit | Pass | 0 |  |
| Malware scan | Pass | 0 |  |

## Licence and pricing

Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step.

Refundable within 14 days of first purchase via https://packagento.com/account/refunds/.

## Install via Claude Code or any MCP client

The Packagento MCP server can run the licence + project + Composer steps above in one tool call:

```
purchase_and_install_packages(
  composer_names=["baldwin/magento2-module-csp-shim"],
  project_id="proj_xxx"
)
```

This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup.

## Vendor

baldwin is a Magento 2 vendor on Packagento. See https://packagento.com/baldwin.md for their full catalogue.

