README

Important

As of Magento 2.4.7 it is no longer possible to deactivate the Magento CSP module.

With a growing Content Security Policies (CSP) whitelist, the problem can arise that the headers Content-Security-Policy-Report-Only and/or Content-Security-Policy become so large that they exceed the maximum permitted size of a header field, causing the web server to not process the response any further.

The CSP mechanism allows multiple policies to be specified for a resource, including via the Content-Security-Policy header, the Content-Security-Policy-Report-Only header and a meta element [MDN]. Therefore, the headers can be specified more than once.

This is where the module comes into play. It implements an after method plugin for the method Magento\Csp\Model\Policy\Renderer\SimplePolicyHeaderRenderer::render, which replaces the existing CSP headers via the method \Magento\Framework\App\Response\HttpInterface::setHeader. The header is read, split so that the syntax remains valid, and replaced by the new headers. The result is a separate header for each directive, each of which should no longer exceed the maximum permitted length of the web server.

Tip

If the headers are too large even after splitting, try to identify unnecessary Magento modules and remove them.

Installation

1. Install it into your Magento 2 project with composer:

   composer require basecom/magento2-csp-split-header

2. Enable module

   bin/magento setup:upgrade

Configuration

These values can be updated in the system configuration under Basecom -> Content Security Policy -> Enable.

Example

1. CSP splitting disabled

   Content-Security-Policy: default-src 'self' https://example.com; connect-src 'none'; script-src https://example.com/;                          

2. CSP splitting enabled

   Content-Security-Policy: default-src 'self' https://example.com; 
   Content-Security-Policy: connect-src 'none'; 
   Content-Security-Policy: script-src https://example.com/;                          

Known Issues

CSP header is not split correctly (#5)

Lower the maximum allowed header field size threshold in the config basecom_csp_split_header/settings/max_header_size.

Varnish 503 error (#7)

Increase the Varnish header sizehttp_resp_hdr_len. The default value is 8kb.

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email magento@basecom.de instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

Copyright

© 2024 basecom GmbH & Co. KG