# yireo/magento2-csp-inspector

> Magento module to help with inspecting CSP headers

`composer require yireo/magento2-csp-inspector`

Canonical URL: https://packagento.com/yireo/magento2-csp-inspector

## At a glance

- **Vendor**: yireo (https://packagento.com/yireo.md)
- **Latest version**: 1.0.6 — released 2026-06-01
- **Pricing**: Free
- **Package type**: Magento 2 module
- **Status**: active, accepting new buyers

## Installation

Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them.

1. **Sign in or create an account** at https://packagento.com/customer/account/.

2. **Add the package to your account.** Open https://packagento.com/yireo/magento2-csp-inspector and complete the free checkout. A licence is minted automatically.

3. **Create or pick a project, then activate the licence on it.**
   - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/.
   - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project.

4. **Add the project credentials to your Magento codebase.**

   Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`:

   ```json
   {
     "http-basic": {
       "packagento.com": {
         "username": "ppk_live_...",
         "password": "psk_live_..."
       }
     }
   }
   ```

   Add the Packagento Composer repository to `composer.json`:

   ```json
   {
     "repositories": [
       { "type": "composer", "url": "https://packagento.com" }
     ]
   }
   ```

5. **Install and apply.**

   ```bash
   composer require yireo/magento2-csp-inspector:*
   bin/magento setup:upgrade
   bin/magento setup:di:compile
   bin/magento cache:flush
   ```

## What it does

Magento module to help with inspecting CSP headers

## README

**Simple CLI tool to inspect the current CSP headers of a specified Magento URL and report back the values - because it is too cumbersome to search for values in the browser.**

**Please note that this tool does NOT report issues with those CSP headers, it only inspects the currently generated HTTP headers. Use other tools like SanSec Watch or the M.Academy CSP Generator to fix your CSP headers.**

#### Installation
```bash
composer require --dev yireo/magento2-csp-inspector
bin/magento module:enable Yireo_CspInspector
```

#### Usage
Report all policies and the mode of the homepage:
```bash
bin/magento csp:inspect
```

Report all policies and the mode of the cart-page:
```bash
bin/magento csp:inspect checkout/cart
```

Report all policy values for the policy `script-src` on the homepage:
```bash
bin/magento csp:inspect:policy script-src 
```

## Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

### [Unreleased]

### [1.0.6] - 01 June 2026
#### Fixed
- Make commands Symfony 7 compliant

### [1.0.5] - 22 October 2025
#### Fixed
- Copy generic CI/CD files
- Add CHANGELOG
- Fix wrong import of Console InputArgument, should be Symfony clas
- Remove int return type from Symfony commands for Symfony 5 compat
- Properly check for URL

## Recent Versions

| Version | Released |
|---|---|
| 1.0.6 | 2026-06-01 |
| 1.0.5 | 2025-10-22 |
| 1.0.4 | 2024-09-12 |
| 1.0.3 | 2024-09-03 |
| 1.0.2 | 2024-09-03 |
| 1.0.1 | 2024-09-03 |
| 1.0.0 | 2024-08-23 |

## Dependencies

### Require

| Package | Constraint |
|---|---|
| ext-pcre | * |
| guzzlehttp/guzzle | ^6.0\|^7.0 |
| magento/framework | ^102.0\|^103.0 |
| magento/module-csp | ^100.0 |
| magento/module-store | ^101.1 |
| symfony/console | ^5.0\|^6.0\|^7.0\|^8.0 |

## Quality

Latest release (1.0.6) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers.


### Compatibility

Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | not tested | not tested | – | – |
| 2.4.8 | – | not tested | not tested | – |
| 2.4.9 | – | – | not tested | Pass |


### Code Quality

Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible.

#### Static Analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Warning | 2 | 2 warnings (ruleset: Magento2) — 2 auto-fixable with phpcbf |
| PHPMD | Pass | 0 |  |
| Cpd | Pass | 0 |  |
| Composer validate | Info | 1 | valid; 1 advisory note (composer validate --strict) |

#### PHPStan

Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | 3 | 3 | – | – |
| 2.4.8 | – | 3 | 3 | – |
| 2.4.9 | – | – | 3 | 3 |


### Tests

Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately.

#### Unit Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |

#### Integration Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |


### Security

Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| Composer audit | Pass | 0 |  |
| Malware scan | Pass | 0 |  |

## Licence and pricing

Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step.

Refundable within 14 days of first purchase via https://packagento.com/account/refunds/.

## Install via Claude Code or any MCP client

The Packagento MCP server can run the licence + project + Composer steps above in one tool call:

```
purchase_and_install_packages(
  composer_names=["yireo/magento2-csp-inspector"],
  project_id="proj_xxx"
)
```

This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup.

## Vendor

yireo is a Magento 2 vendor on Packagento. See https://packagento.com/yireo.md for their full catalogue.