Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The Content-Security-Policy header allows your Drupal site to inform browsers of trusted sources for JavaScript, CSS, and other external resources. This adds a security layer to detect and mitigate the risk of Cross Site Scripting (XSS), data injection, and other vulnerabilities.
Features
- Integrates with Drupal's Libraries API to automatically generate a default site-wide policy for JavaScript and CSS
- Up-to-date with the latest CSP Level 3 Working Draft
- Policy is automatically optimized to remove duplicate directives and reduce header length
- Dispatches an event to allow other modules to alter policies for each request
- Policy Violation logging integrations:
- For Drupal core
< 10.1
- Automatically adds
'unsafe-inline'
to individual requests when necessary for core libraries (core/ckeditor
,core/drupal.ajax
) - The included Content Security Policy Extras module provides additional security hardening by altering core services.
- Automatically adds
Get Involved
If you're interested in getting involved in module development but don't know where to start, reach out to gapple (@gappleca on Twitter).
Project information
- Module categories: Security, Integrations
- Ecosystem: Permissions Policy, Reporting API
- 18,163 sites report using this module
- Created by gapple on , updated
- Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Releases
2.0.0-alpha1
released 13 February 2024
Works with Drupal: ^10
Install:
Development version: 2.x-dev updated 13 Feb 2024 at 02:20 UTC
8.x-1.30
released 19 January 2024
Works with Drupal: ^10
✓ Recommended by the project’s maintainer.
Install:
Development version: 8.x-1.x-dev updated 13 Feb 2024 at 02:21 UTC