Allows the defining and refining of Content-Security-Policy Headers and sets them on requests to the front end of the site. Once the policy has been tuned it is set in a file and can only be altered with acess to the file system.
-
Install the module. By default this will not set a header
-
Login / Create an account at https://report-uri.com and create a subdomain
-
Generate a wizard url for you subdomain
-
Add the wizard-url together with a restrictive header to the modules config
-
View and allow urls in report-uri.com wizard and then generate a policy
-
Add the generated policy to the modules config together with a ReportOnly report-uri
-
Repeat steps 5-6 until happy the policy is not reporting violations that are false positives
-
Cut and paste the policy from the config into a file and upload to etc/csp.txt within the module
This is done for security. Most attacks against Magento occur by an attacker getting accces to the admin backend of the site. Once installed and configured such an attacker would not be able to disable this module unless they have access to the file system.
No this will only ever allow ReportOnly headers
No you can set the report-uri to anything you like or not have one. However, it is recomended that you use a report-uri when developing a policy as otherwise it may kill legitimate behaviour and you may not notice.
Author:: Nathaniel McHugh ([email protected]) Author:: Ross Kinsman ([email protected])