This extension offers configurable security headers for the frontend.
- Install the extension by using composer
- Create a "Security Headers" record on the root page and configure the desired headers
- Validate your configuration with securityheaders.com
- Security Headers that are defined in the .htaccess or in some other server configuration will not be overwritten.
- If EXT:staticfilecache is used, you have to extend the validHtaccessHeaders extension setting.
- Security Headers for the TYPO3 Backend can be defined in AdditionalConfiguration.php with the BE setting "HTTP".
This extension includes a ViewHelper for generating CSP nonces (NonceViewHelper).
All the nonces generated by the ViewHelper during the request will automatically be added to the Content-Security-Policy header at the end of the request.
Basic usage:
<style nonce="{ls:csp.nonce(policy: 'style', length: '48')}">The policy argument defines the policy the nonce should be added to (style for style-src, script for script-src, ...).
The length argument defines the length of the nonce in bytes (default is 32).