System - Content Security Policy
The System - Content Security Policy plugin(s) bring this much needed security functionality to Joomla. The fun doesn't stop there - this set of plugins also implements the report-uri feature of the CSP. You can capture your own csp-report via the included AJAX plugin, and have it sent to you nightly using the included CLI script. If you want to browse the data - the AJAX plugin offers a handy report browser. Let's look at all of the features:
- Implements all classes of the Content Security Policy standard: Fetch directives, Document directives, Navigation directives, Reporting directives, and the eclectic "Other" directives
- Injects your settings in a Content-Security-Policy HTTP header
- Adds a meta tag with your CSP settings
- Implements report-uri and report-to
- Provides a listener for report-uri and report-to incoming data
- Includes a CLI script to be used in a CRON job for nightly reporting to a selected administrator or administrators
- Includes a report browser, for immediate review of stored reports
- Additional options offer the ability to also set X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, and Expect-CT headers.
I really tried to give this plugin every feature I would want, and it's running on my site now!
With very little effort, and in very little time - you can pass the securityheaders.io test with an easy "A".