Skip to content
Snippets Groups Projects

Issue #3338896: Provide a README

Open Issue #3338896: Provide a README
issue/csp-3338896:readme into 8.x-1.x
Open
Patrick Kennyrequested to merge
issue/csp-3338896:readme into 8.x-1.x
Compare
and
1 file
+ 89
0
Compare changes
  • Side-by-side
  • Inline
README.md 0 → 100644
+ 89
0
# Content-Security-Policy
The [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
header allows your Drupal site to inform browsers of trusted sources for
JavaScript, CSS, and other external resources. This adds a security layer to
detect and mitigate the risk of Cross Site Scripting (XSS), data injection,
and other vulnerabilities.
For a full description of the module, visit the
[project page](https://www.drupal.org/project/csp).
Submit bug reports and feature suggestions, or track changes in the
[issue queue](https://www.drupal.org/project/issues/csp).
## Table of contents
- Requirements
- Installation
- Configuration
- How to specify a hash for a script
- Features
- Maintainers
## Requirements
This module requires no modules outside of Drupal core.
## Installation
Install as you would normally install a contributed Drupal module. For further
information, see
[Installing Drupal Modules](https://www.drupal.org/docs/extending-drupal/installing-drupal-modules).
## Configuration
Configure it at `/admin/config/system/csp`.
Test your settings using **Report Only** before applying them in **Enforced**.
**Enforced** will stop scripts that violate the rules from executing, so test first.
You can also enable the **Content Security Policy Extras** module to harden the security of Drupal core's AJAX.
## How to specify a hash for a script
If you are not using `unsafe-inline`, then you can add hashes for your scripts to CSP.
This is supported but NOT RECOMMENDED because Drupal core currently requires `unsafe-inline` for important features (like CKEditor).
If you still want to use hashes, you can specify a hash in the following format: '{hashAlgorithm}-{base64-value}'
- The wrapping single quotes are required.
- The valid hashing algorithms are sha256, sha384, or sha512.
- The hash value must be base64 encoded.
- All characters within the script (or style) element, including leading and trailing whitespace, must be used to calculate the hash value.
If your browser provides a hash value in its CSP error message in the console, you should be able to copy that value. Report-URI.com also provides a tool to generate hashes for arbitrary values: https://report-uri.com/home/hash
## Features
- Integrates with Drupal's Libraries API to automatically generate a default
site-wide policy for JavaScript and CSS
- Up-to-date with the latest
[CSP Level 3 Working Draft](https://www.w3.org/TR/CSP/)
- Policy is automatically optimized to remove duplicate directives and reduce
header length
- Dispatches an event to allow other modules to alter policies for each request
- Policy Violation logging integrations:
- [Reporting module](https://www.drupal.org/project/reporting)
- [Sentry (via Raven module)](https://www.drupal.org/project/raven)
- [CSP log](https://www.drupal.org/project/csp_log)
- [Report-URI.com](https://report-uri.com/)
- For Drupal core < 10.1
- Automatically adds 'unsafe-inline' to individual requests when necessary
for core libraries (
[core/ckeditor](https://www.drupal.org/project/drupal/issues/2789139),
[core/drupal.ajax](https://www.drupal.org/project/csp/issues/3100084))
- The included Content Security Policy Extras module provides additional
security hardening by altering core services.
## Maintainers
- Geoff Appleby - [gapple](https://www.drupal.org/u/gapple)
\ No newline at end of file