Home

Awesome

Basecom_CspSplitHeader Magento 2 Module

<div align="center">

Packagist Software License Supported Magento Versions

</div>

[!IMPORTANT]
As of Magento 2.4.7 it is no longer possible to deactivate the Magento CSP module.

With a growing Content Security Policies (CSP) whitelist, the problem can arise that the headers Content-Security-Policy-Report-Only and/or Content-Security-Policy become so large that they exceed the maximum permitted size of a header field, causing the web server to not process the response any further.

The CSP mechanism allows multiple policies to be specified for a resource, including via the Content-Security-Policy header, the Content-Security-Policy-Report-Only header and a meta element [MDN]. Therefore, the headers can be specified more than once.

This is where the module comes into play. It implements an after method plugin for the method Magento\Csp\Model\Policy\Renderer\SimplePolicyHeaderRenderer::render, which replaces the existing CSP headers via the method \Magento\Framework\App\Response\HttpInterface::setHeader. The header is read, split so that the syntax remains valid, and replaced by the new headers. The result is a separate header for each directive, each of which should no longer exceed the maximum permitted length of the web server.

[!TIP] If the headers are too large even after splitting, try to identify unnecessary Magento modules and remove them.

Installation

  1. Install it into your Magento 2 project with composer:

    composer require basecom/magento2-csp-split-header

  2. Enable module

    bin/magento setup:upgrade

Configuration

ConfigDefault ValueDescription
basecom_csp_split_header/settings/header_splitting_enable0 (disabled)enables (1) / disables (0) the splitting of the CSP header
basecom_csp_split_header/settings/max_header_size8190maximum allowed header field size

These values can be updated in the system configuration under Basecom -> Content Security Policy -> Enable.

Example

  1. CSP splitting disabled

    Content-Security-Policy: default-src 'self' https://example.com; connect-src 'none'; script-src https://example.com/;

  2. CSP splitting enabled

    Content-Security-Policy: default-src 'self' https://example.com; 
Content-Security-Policy: connect-src 'none'; 
Content-Security-Policy: script-src https://example.com/;

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email magento@basecom.de instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

Copyright

© 2024 basecom GmbH & Co. KG