Skip to content

Magento 2 module that solves the problem of oversized CSP headers by splitting them into multiple headers. It extends Magento's CSP Simple Policy Renderer to replace the existing CSP headers, ensuring they remain valid and reducing the likelihood of exceeding the web server's maximum header size.

License

Notifications You must be signed in to change notification settings

basecom/magento2-csp-split-header

Repository files navigation

Basecom_CspSplitHeader Magento 2 Module

Packagist Software License Supported Magento Versions


Important

As of Magento 2.4.7 it is no longer possible to deactivate the Magento CSP module.

With a growing Content Security Policies (CSP) whitelist, the problem can arise that the headers Content-Security-Policy-Report-Only and/or Content-Security-Policy become so large that they exceed the maximum permitted size of a header field, causing the web server to not process the response any further.

The CSP mechanism allows multiple policies to be specified for a resource, including via the Content-Security-Policy header, the Content-Security-Policy-Report-Only header and a meta element [MDN]. Therefore, the headers can be specified more than once.

This is where the module comes into play. It implements an after method plugin for the method Magento\Csp\Model\Policy\Renderer\SimplePolicyHeaderRenderer::render, which replaces the existing CSP headers via the method \Magento\Framework\App\Response\HttpInterface::setHeader. The header is read, split so that the syntax remains valid, and replaced by the new headers. The result is a separate header for each directive, each of which should no longer exceed the maximum permitted length of the web server.

Tip

If the headers are too large even after splitting, try to identify unnecessary Magento modules and remove them.

Installation

  1. Install it into your Magento 2 project with composer:

    composer require basecom/magento2-csp-split-header
  2. Enable module

    bin/magento setup:upgrade

Configuration

Config Default Value Description
basecom_csp_split_header/settings/header_splitting_enable 0 (disabled) enables (1) / disables (0) the splitting of the CSP header
basecom_csp_split_header/settings/max_header_size 8190 maximum allowed header field size

These values can be updated in the system configuration under Basecom -> Content Security Policy -> Enable.

Example

  1. CSP splitting disabled

    Content-Security-Policy: default-src 'self' https://example.com; connect-src 'none'; script-src https://example.com/;                          
  2. CSP splitting enabled

    Content-Security-Policy: default-src 'self' https://example.com; 
    Content-Security-Policy: connect-src 'none'; 
    Content-Security-Policy: script-src https://example.com/;                          

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email [email protected] instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

Copyright

© 2024 basecom GmbH & Co. KG

About

Magento 2 module that solves the problem of oversized CSP headers by splitting them into multiple headers. It extends Magento's CSP Simple Policy Renderer to replace the existing CSP headers, ensuring they remain valid and reducing the likelihood of exceeding the web server's maximum header size.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 3

  •  
  •  
  •