-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update README with new features and examples
- Loading branch information
Showing
2 changed files
with
70 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,32 +1,89 @@ | ||
| [](https://get.typo3.org/version/11) | ||
| [](https://get.typo3.org/version/12) | ||
| [](https://get.typo3.org/version/13) | ||
|
|
||
| # TYPO3 Extension `ls_security_headers` | ||
|
|
||
| This extension offers configurable security headers for the frontend. | ||
| This extension offers configurable security headers for the frontend. You can easily create and manage them | ||
| in a database record of your root page in the TYPO3 backend.<br> | ||
| This comes in handy if for example resources are regularly added/changed, and you need to update the content security | ||
| policy (CSP) accordingly.<br> | ||
| The extension also offers the generation of CSP nonces. | ||
|
|
||
| ## Setup | ||
|
|
||
| 1. Install the extension by using composer | ||
| 2. Create a "Security Headers" record on the root page and configure the desired headers | ||
| 3. Validate your configuration with [securityheaders.com](https://securityheaders.com/) | ||
| 3. Validate your configuration with the scanners | ||
| of [HTTP Observatory](https://developer.mozilla.org/en-US/observatory), [securityheaders.com](https://securityheaders.com/) | ||
| and/or many others. | ||
|
|
||
| ## Infos | ||
| ## Important Notes | ||
|
|
||
| - Security Headers that are defined in the .htaccess or in some other server configuration will not be overwritten. | ||
| - If EXT:staticfilecache is used, you have to extend the [validHtaccessHeaders extension setting](https://github.com/lochmueller/staticfilecache/blob/master/ext_conf_template.txt#L14). | ||
| - Security Headers for the TYPO3 Backend can be defined in AdditionalConfiguration.php with the [BE setting "HTTP"](https://docs.typo3.org/m/typo3/reference-coreapi/11.5/en-us/Configuration/Typo3ConfVars/BE.html#http). | ||
| - **It's highly recommended to use this extension only if the TYPO3 core feature | ||
| `security.frontend.enforceContentSecurityPolicy` is disabled.** | ||
| - Security Headers that are defined in the `.htaccess` or in some other server configuration will not be overwritten. | ||
| - If EXT:staticfilecache is used, you have to extend | ||
| the [validHtaccessHeaders extension setting](https://github.com/lochmueller/staticfilecache/blob/master/ext_conf_template.txt#L14). | ||
| - Security Headers for the TYPO3 Backend can be defined in `settings.php` or `additional.php` with | ||
| the [BE setting "HTTP"](https://docs.typo3.org/m/typo3/reference-coreapi/13.4/en-us/Configuration/Typo3ConfVars/BE.html#confval-globals-typo3-conf-vars-be-http). | ||
|
|
||
| ### Nonce support | ||
| This extension includes a [TypoScript helper function](Classes/Userfuncs/Csp.php) for generating CSP nonces.<br> | ||
| All the nonces generated by the function during the request will automatically be added to the Content-Security-Policy header at the end of the request.<br> | ||
|
|
||
| This extension includes a [TypoScript helper function](Classes/UserFunctions/Csp.php) for generating CSP nonces.<br> | ||
| All the nonces generated by the function during the request will automatically be added to the Content-Security-Policy | ||
| header at the end of the request.<br> | ||
| Basic usage: | ||
|
|
||
| ```html | ||
|
|
||
| <style nonce="{f:cObject(typoscriptObjectPath: 'lib.cspNonce', data: {length: '32', policy: 'style'})}"> | ||
| ``` | ||
| The policy argument defines the policy the nonce should be added to (style for style-src, script for script-src, ...).<br> | ||
| The policy argument defines the policy the nonce should be added to (style for style-src, script for | ||
| script-src, ...).<br> | ||
| The length argument defines the length of the nonce in bytes. | ||
| Furthermore, it's possible to get the nonce output as attribute with the flag `asAttribute = '1'`.<br> | ||
| A possible use case is the replacement feature of TypoScript: | ||
| ```typo3_typoscript | ||
| page.headerData.200 = COA | ||
| page.headerData.200 { | ||
| 10 = TEXT | ||
| 10.value ( | ||
| <script###NONCE###> | ||
| console.log('Hello World'); | ||
| </script> | ||
| ) | ||
| 10.value { | ||
| replacement { | ||
| 1 { | ||
| search = ###NONCE### | ||
| replace.stdWrap.postUserFuncInt = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce | ||
| replace.stdWrap.postUserFuncInt { | ||
| length = 32 | ||
| policy = script | ||
| asAttribute = 1 | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
| Additionally, you can write your own library for the cObject-ViewHelper: | ||
| ```typo3_typoscript | ||
| lib.nonceAttribute = USER_INT | ||
| lib.nonceAttribute { | ||
| userFunc = LimeSoda\LsSecurityHeaders\UserFunctions\Csp->generateNonce | ||
| length = 32 | ||
| policy = script | ||
| asAttribute = 1 | ||
| } | ||
| ``` | ||
| ## Ressources | ||
| [LIMESODA Website Security](https://www.limesoda.com/leistungen/beratung-consulting/website-security) | ||
| * [LIMESODA Website Security](https://www.limesoda.com/leistungen/beratung-consulting/website-security) | ||
| * [securityheaders.com](https://securityheaders.com/) | ||
| * [HTTP Observatory](https://developer.mozilla.org/en-US/observatory) |