# experius/module-csp > Provide a basic Content Security Policy Allowed List and report blocked resources. `composer require experius/module-csp` Canonical URL: https://packagento.com/experius/module-csp ## At a glance - **Vendor**: experius (https://packagento.com/experius.md) - **Latest version**: 2.0.3 — released 2022-04-15 - **Pricing**: Free - **Package type**: Magento 2 module - **Status**: active, accepting new buyers ## Installation Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them. 1. **Sign in or create an account** at https://packagento.com/customer/account/. 2. **Add the package to your account.** Open https://packagento.com/experius/module-csp and complete the free checkout. A licence is minted automatically. 3. **Create or pick a project, then activate the licence on it.** - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/. - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project. 4. **Add the project credentials to your Magento codebase.** Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`: ```json { "http-basic": { "packagento.com": { "username": "ppk_live_...", "password": "psk_live_..." } } } ``` Add the Packagento Composer repository to `composer.json`: ```json { "repositories": [ { "type": "composer", "url": "https://packagento.com" } ] } ``` 5. **Install and apply.** ```bash composer require experius/module-csp:* bin/magento setup:upgrade bin/magento setup:di:compile bin/magento cache:flush ``` ## What it does Provide a basic Content Security Policy Allowed List and report blocked resources. ## README ``` experius/module-csp ``` - [Installation](#markdown-header-installation) - [Main Functionalities](#markdown-header-main-functionalities) - [Basic allowed list](#markdown-header-basic-allowed-list) - [Content Security Policy Reporting & whitelisting](#markdown-header-content-security-policy-reporting-&-whitelisting) - [Add a resource to the allowed list permanently](#markdown-header-add-a-resource-to-the-allowed-list-permanently) ### Installation In production please use the `--keep-generated` option - Install the module composer by running `composer require experius/module-csp` - enable the module by running `php bin/magento module:enable Experius_Csp` - apply database updates by running `php bin/magento setup:upgrade` - Flush the cache by running `php bin/magento cache:flush` ### Main Functionalities Provide a basic Content Security Policy allowed-list (whitelist) and when the Resource should be blocked it will automatically be reported within the Experius CSP Report Table (experius_csp_report). When there is a report of a blocked directive is found, an error message will be show in the admin to notify the developer/client. These reports can be whitelisted for directive which allow this. See "Content Security Policy Reporting & whitelisting" below for an example and more details. #### IMPORTANT: Content Security Policy Report Only Mode In the upcoming Magento 2.4 Release then the Content Security Policy Report Only Mode then will be disabled and it will validate strict. The report-to has been disabled in this version because it is not working properly. See: \Experius\Csp\Plugin\Magento\Framework\App\Response\HttpInterface::beforeSetHeader #### Basic allowed list Currently this module contains a basic whitelist of considerd "safe" sources. A few examples: - Google Fonts - Google Maps - Dotdigital / Dotmailer Chat - Buckaroo - etc. For a full list for each directive, please check the following file: ``` etc/csp_whitelist.xml ``` #### Content Security Policy Reporting & whitelisting In the Magento Admin you can view the reports which are created. System > Tools > CSP reporting & whitelist ![Scheme](Docs/Screenshots/report-view.png) To avoid clutter a counter is introduced, which prevents the table from growing in size excessively with many pageviews. This is grouped by "violated_directive", "blocked_uri" and "document_uri". @TODO: [Nice to have] consider letting louse "document_uri", since whitelist is applied across the entire Magento installation (globally). #### Add a resource to the allowed list permanently Based on the reports you can easily add a csp_whitelist.xml file within your own modules and when you are done just delete the record because it no longer is relevant. More information about how this xml file works you can find here: https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html For example Report: - document_uri: https://example.com/ - referer:https://example.com/ - violated_directive: img-src - original_policy: font-src fonts.googleapis.com fonts.gstatic.com https://www.gstatic.com https://fonts.gstatic.com 'self' 'unsafe-inline'; form-action 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src cdn.dnky.co youtube.com www.youtube.com https:/ - blocked_uri: https://maps.gstatic.com/mapfiles/openhand_8_8.cur - date: 2020-06-25 16:42:23 Fix: # app/code/Custom/Csp/etc/csp_whitelist *.gstatic.com ## Changelog [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/2.0.3) * [FEATURE][DONS-65] added paypal to whitelisting *(Dylan Maurits)* ### 2.0.2 (2022-01-25) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/2.0.2) * [BUGFIX][SUBI-320] fixed bug where FallbackDirective was not being used properly *(Dylan Maurits)* ### 2.0.1 (2021-12-21) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/2.0.1) * [FEATURE][SPC-3021] Fixed issue where count wasn't working properly. *(René Schep)* ### 2.0.0 (2021-12-21) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/2.0.0) * [FEATURE][SPC-3021] Imported more classes. Rewrote Collectors *(René Schep)* ### 1.8.3 (2021-10-13) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/1.8.3) * [FEATURE][EMGA-374] Add logic to (de-)whitelist all identical reports upon (de-)whitelist of report *(Martijn van den Kerkhof)* * [FEATURE][EMGA-374] Efficiency improvements *(Martijn van den Kerkhof)* * [FEATURE][EMGA-374] Remove unneccesary import *(Martijn van den Kerkhof)* * [FEATURE][EMGA-374] Make method public *(Martijn van den Kerkhof)* ### 1.8.2 (2021-10-04) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/1.8.2) * [BUGFIX][SBN-216] Correct img-src 'data' policy in amasty base *(Matthijs Breed)* ### 1.8.1 (2021-09-16) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/1.8.1) * [BUGFIX] Changed in_array to array_key_exists *(René Schep)* ### 1.8.0 (2021-09-16) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/1.8.0) * [BUGFIX] Remove type-o *(Martijn van den Kerkhof)* * [FEATURE] Implement fallback directives for non-magento-standard directives *(Martijn van den Kerkhof)* * [FEATURE] Minor reformats *(Martijn van den Kerkhof)* * [FEATURE] When checking for existing entries, disregard query strings. *(Martijn van den Kerkhof)* * [BUGFIX] Removed commented code *(Hexmage)* ### 1.7.2 (2021-09-09) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/1.7.2) * [BUGFIX] Moved policies node to proper location in csp node *(René Schep)* ### 1.7.1 (2021-09-09) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/1.7.1) * [FEATURE] Fixed 'frame-ancestors' does not support 'unsafe-inline' *(René Schep)* ### 1.7.0 (2021-09-09) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/1.7.0) * [FEATURE][SBAS-1452] Readded Media and Static urls and changed how urls get stripped *(René Schep)* ### 1.6.1 (2021-09-08) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/1.6.1) * [FEATURE][EMGA-374] Added styling to prevent listing overflow *(Martijn van den Kerkhof)* ### 1.6.0 (2021-08-26) [View Release](git@github.com:experius/Magento-2-Module-Experius-Csp.git/commits/tag/1.6.0) _(Changelog truncated for .md surface. Full history on https://packagento.com/experius/module-csp.)_ ## Recent Versions | Version | Released | |---|---| | 2.0.3 | 2022-04-15 | | 2.0.2 | 2022-01-25 | | 2.0.1 | 2021-12-21 | | 2.0.0 | 2021-12-21 | | 1.8.3 | 2021-10-13 | | 1.8.2 | 2021-10-04 | | 1.8.1 | 2021-09-16 | | 1.8.0 | 2021-09-16 | | 1.7.2 | 2021-09-09 | | 1.7.1 | 2021-09-09 | Showing 10 of 48 versions. Full release history on https://packagento.com/experius/module-csp. ## Quality Latest release (2.0.3) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers. ### Compatibility Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | Pass | Pass | – | – | | 2.4.8 | – | Pass | Pass | – | | 2.4.9 | – | – | Pass | Pass | ### Code Quality Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible. #### Static Analysis Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module. | Tool | Status | Findings | Summary | |---|---|---|---| | PHPCS | Warning | 46 | 46 warnings (ruleset: Magento2) — 16 auto-fixable with phpcbf | | PHPMD | Pass | 0 | | | Cpd | Pass | 0 | | | Composer validate | Pass | 0 | | #### PHPStan Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | 18 | 18 | – | – | | 2.4.8 | – | 18 | 18 | – | | 2.4.9 | – | – | 18 | 18 | ### Tests Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately. #### Unit Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | #### Integration Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | ### Security Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright. | Tool | Status | Findings | Summary | |---|---|---|---| | Composer audit | Pass | 0 | | | Malware scan | Pass | 0 | | ## Licence and pricing Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step. Refundable within 14 days of first purchase via https://packagento.com/account/refunds/. ## Install via Claude Code or any MCP client The Packagento MCP server can run the licence + project + Composer steps above in one tool call: ``` purchase_and_install_packages( composer_names=["experius/module-csp"], project_id="proj_xxx" ) ``` This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup. ## Vendor experius is a Magento 2 vendor on Packagento. See https://packagento.com/experius.md for their full catalogue.