Search
My Cart

basecom / magento2-csp-split-header

basecom/magento2-csp-split-header

Magento 2 module to split oversized CSP headers into multiple headers.

  • Team Magento @basecom
magento2-module Compatibility: 2.4.7-2.4.9 Code Quality: Fail Tests: N/A Security: Pass MIT

Basecom_CspSplitHeader Magento 2 Module

Packagist
Software License
Supported Magento Versions

[!IMPORTANT]
As of Magento 2.4.7 it is no longer possible to deactivate the Magento CSP module.

With a growing Content Security Policies (CSP) whitelist, the problem can arise that the
headers Content-Security-Policy-Report-Only and/or Content-Security-Policy become so large that they exceed the
maximum permitted size of a header field, causing the web server to not process the response any further.

The CSP mechanism allows multiple policies to be specified for a resource, including via the Content-Security-Policy
header, the Content-Security-Policy-Report-Only header and a meta
element [MDN].
Therefore, the headers can be specified more than once.

This is where the module comes into play. It implements an after method plugin for the
method Magento\Csp\Model\Policy\Renderer\SimplePolicyHeaderRenderer::render, which replaces the existing CSP headers
via the method \Magento\Framework\App\Response\HttpInterface::setHeader. The header is read, split so that the syntax
remains valid, and replaced by the new headers. The result is a separate header for each directive, each of which should
no longer exceed the maximum permitted length of the web server.

[!TIP]
If the headers are too large even after splitting, try to identify unnecessary Magento modules and remove them.

Installation

  1. Install it into your Magento 2 project with composer:

    composer require basecom/magento2-csp-split-header

  2. Enable module

    bin/magento setup:upgrade

Configuration

Config Default Value Description
basecom_csp_split_header/settings/header_splitting_enable 0 (disabled) enables (1) / disables (0) the splitting of the CSP header
basecom_csp_split_header/settings/max_header_size 8000 maximum allowed header field size

These values can be updated in the system configuration under Basecom -> Content Security Policy -> Enable.

Example

  1. CSP splitting disabled

    Content-Security-Policy: default-src 'self' https://example.com; connect-src 'none'; script-src https://example.com/;

  2. CSP splitting enabled

    Content-Security-Policy: default-src 'self' https://example.com; 
Content-Security-Policy: connect-src 'none'; 
Content-Security-Policy: script-src https://example.com/;

Known Issues

CSP header is not split correctly (#5)

Lower the maximum allowed header field size threshold in the config basecom_csp_split_header/settings/max_header_size.

Varnish 503 error (#7)

Increase the Varnish header sizehttp_resp_hdr_len. The default value is 8kb.

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email [email protected] instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

Copyright

© 2024 basecom GmbH & Co. KG

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog
and this project adheres to Semantic Versioning.

[Unreleased]

Added

Changed

Removed

Fixed

1.0.7 - 2025-03-24

Added

  • Added Known issues section in the README

Changed

  • Changed the default value of basecom_csp_split_header/settings/max_header_size from 8190 to 8000.

1.0.6 - 2024-10-07

Fixed

  • Fix duplicate policy and reduce number of splits. @mfickers #4

1.0.5 - 2024-08-27

Added

1.0.4 - 2024-08-08

Changed

  • Changed max_header_size from 8000 to the Apache default of 8190.

1.0.3 - 2024-08-07

Added

  • Added GitHub action to automatically set tag.

1.0.2 - 2024-08-05

Added

  • Added README.

1.0.1 - 2024-08-02

Fixed

  • Fixed issue where the fetch directive was added twice to the CSP header content.

1.0.0 - 2024-08-02

Versions
Version Stability QA Status Compatibility Released
1.0.7 stable Fail Magento 2.4.7-2.4.9 Details 2025-03-24 12:29:03
1.0.6 stable Not tested Not yet tested Details 2024-10-07 08:38:31
1.0.5 stable Not tested Not yet tested Details 2024-08-27 07:23:18
1.0.4 stable Not tested Not yet tested Details 2024-08-08 17:37:32
1.0.3 stable Not tested Not yet tested Details 2024-08-07 16:00:45
1.0.2 stable Not tested Not yet tested Details 2024-08-06 06:34:09
1.0.1 stable Not tested Not yet tested Details 2024-08-05 07:45:52
1.0.0 stable Not tested Not yet tested Details 2024-08-02 07:57:08

Requires 5

Package Constraint
php ~8.1
magento/framework *
magento/module-csp *
magento/module-config *
magento/module-backend *

Compatibility

Each Magento release line is installed on its supported PHP versions, then the module is built (DI compilation + static-content deploy) and its unit and integration suites are run. The matrix shows the lines and PHP versions the module is confirmed to install and run on. Code-quality results further down (phpstan, phpcs, …) are reported separately and never affect compatibility.

Compatibility matrix (Magento × PHP)
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 Pass Pass
2.4.8 Pass Pass
2.4.9 Pass Pass

Code Quality

Advisory checks against the module's source. Static analysis runs once across the whole module; PHPStan re-runs per Magento + PHP version because resolvable symbols differ between releases. These NEVER affect the Compatibility badge — a phpcs finding can't make a module incompatible.

Static analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

Static analysis results
Tool Status Findings Summary
PHPCS Warning 2 2 warnings (ruleset: Magento2)
PHPMD Warning 1 1 rule violation (UnusedPrivateField:1)
Cpd Pass 0
Composer validate Info 5 valid; 5 advisory notes (composer validate --strict)

PHPStan

Type-checks the module's PHP against a real Magento install at the configured gate level. Re-runs per Magento and PHP version because resolvable symbols differ between releases. Cell → details modal.

PHPStan results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 2 2
2.4.8 2 2
2.4.9 2 2

Tests

Unit and integration suites, run for each applicable Magento and PHP version. A test failure speaks to the module's behaviour, not its compatibility with a Magento line, so it is reported here separately and never reddens the compatibility matrix.

Unit tests

Unit tests results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 N/A N/A
2.4.8 N/A N/A
2.4.9 N/A N/A

Integration tests

Integration tests results by Magento and PHP version
Magento PHP 8.2 PHP 8.3 PHP 8.4 PHP 8.5
2.4.7 N/A N/A
2.4.8 N/A N/A
2.4.9 N/A N/A

Security

Security checks run directly against the module: an audit of its declared dependencies for known vulnerabilities (composer audit) and a scan of its source for malware and web-shell signatures. Each runs once. A malware detection fails the version outright.

Security results
Tool Status Findings Summary
Composer audit Pass 0
License
MIT
Authors
Make it pay

Turn an existing module into recurring revenue.

If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.

List your module