Kirby3 Security Headers - Best practice headers, Nonce, CSP and Feature Policies

I am creating posts for my plugins to make it easier to find them using the forum search and not just the docs search.

This plugins comes with sensible defaults but lets you adjust the headers using the config.


return [
    'bnomei.securityheaders.headers' => [
        "X-Powered-By" => "", // unset
        "X-Frame-Options" => "SAMEORIGIN",
        "X-XSS-Protection" => "1; mode=block",
        "X-Content-Type-Options" => "nosniff",
        "strict-transport-security" => "max-age=31536000; includeSubdomains",
        "Referrer-Policy" => "no-referrer-when-downgrade",
        "Permissions-Policy" => 'interest-cohort=()', // flock-off,
        // ... FEATURE POLICIES
    // other options...

To define the Content security policies (CSP) you can use a json/yaml file (based on the default that comes with the plugin) or…

… use a callback to define csp entries right within the config. Within the setter you can also define custom nonces if you need some.

export apache/nginx
You can also export your configurations for apache/nginx if you prefer to apply them there instead dynamically with kirby.

1 Like

the export apache/nginx is also necessary if you use a static site generator SSG like the brand new GitHub - getkirby/staticache: Static site performance on demand plugin (might be moved to core).