Skip to content
Snippets Groups Projects

Issue #3338896: Provide a README

Open Issue #3338896: Provide a README
issue/csp-3338896:readme into 8.x-1.x
Open Patrick Kenny requested to merge issue/csp-3338896:readme into 8.x-1.x
Compare
and
1 file
+ 89
0
Compare changes
  • Side-by-side
  • Inline
README.md 0 → 100644
+ 89
0
 
# Content-Security-Policy
 
 
The [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
 
header allows your Drupal site to inform browsers of trusted sources for
 
JavaScript, CSS, and other external resources. This adds a security layer to
 
detect and mitigate the risk of Cross Site Scripting (XSS), data injection,
 
and other vulnerabilities.
 
 
For a full description of the module, visit the
 
[project page](https://www.drupal.org/project/csp).
 
 
Submit bug reports and feature suggestions, or track changes in the
 
[issue queue](https://www.drupal.org/project/issues/csp).
 
 
 
## Table of contents
 
 
- Requirements
 
- Installation
 
- Configuration
 
- How to specify a hash for a script
 
- Features
 
- Maintainers
 
 
 
## Requirements
 
 
This module requires no modules outside of Drupal core.
 
 
 
## Installation
 
 
Install as you would normally install a contributed Drupal module. For further
 
information, see
 
[Installing Drupal Modules](https://www.drupal.org/docs/extending-drupal/installing-drupal-modules).
 
 
 
## Configuration
 
 
Configure it at `/admin/config/system/csp`.
 
 
Test your settings using **Report Only** before applying them in **Enforced**.
 
 
**Enforced** will stop scripts that violate the rules from executing, so test first.
 
 
You can also enable the **Content Security Policy Extras** module to harden the security of Drupal core's AJAX.
 
 
 
## How to specify a hash for a script
 
 
If you are not using `unsafe-inline`, then you can add hashes for your scripts to CSP.
 
 
This is supported but NOT RECOMMENDED because Drupal core currently requires `unsafe-inline` for important features (like CKEditor).
 
 
If you still want to use hashes, you can specify a hash in the following format: '{hashAlgorithm}-{base64-value}'
 
 
- The wrapping single quotes are required.
 
- The valid hashing algorithms are sha256, sha384, or sha512.
 
- The hash value must be base64 encoded.
 
- All characters within the script (or style) element, including leading and trailing whitespace, must be used to calculate the hash value.
 
 
If your browser provides a hash value in its CSP error message in the console, you should be able to copy that value. Report-URI.com also provides a tool to generate hashes for arbitrary values: https://report-uri.com/home/hash
 
 
 
## Features
 
 
- Integrates with Drupal's Libraries API to automatically generate a default
 
site-wide policy for JavaScript and CSS
 
- Up-to-date with the latest
 
[CSP Level 3 Working Draft](https://www.w3.org/TR/CSP/)
 
- Policy is automatically optimized to remove duplicate directives and reduce
 
header length
 
- Dispatches an event to allow other modules to alter policies for each request
 
- Policy Violation logging integrations:
 
- [Reporting module](https://www.drupal.org/project/reporting)
 
- [Sentry (via Raven module)](https://www.drupal.org/project/raven)
 
- [CSP log](https://www.drupal.org/project/csp_log)
 
- [Report-URI.com](https://report-uri.com/)
 
- For Drupal core < 10.1
 
- Automatically adds 'unsafe-inline' to individual requests when necessary
 
for core libraries (
 
[core/ckeditor](https://www.drupal.org/project/drupal/issues/2789139),
 
[core/drupal.ajax](https://www.drupal.org/project/csp/issues/3100084))
 
- The included Content Security Policy Extras module provides additional
 
security hardening by altering core services.
 
 
 
## Maintainers
 
- Geoff Appleby - [gapple](https://www.drupal.org/u/gapple)
 
\ No newline at end of file