A Joomla Content Security Policy Plugin
- Copy files onto Joomla install
- In the administrator area, click on "Extentions" -> "Manage" -> "Discover"
- Install the "Content Security Policy"
- In the plug-in manager, enable "System - Content Security Policy"
This is pretty much based on a site admin work-flow like...
- Set the site to
content="default-src 'self';
- See what's broken
- Fix broken things one at a time, like
content="default-src 'self'; script-src 'self' *.google-analytics.com "
to let google analytics work.
In practice an admin would probably do this with Content-Security-Policy-Report-Only
and just review the reports.
- https://www.itoctopus.com/how-content-security-policy-can-help-protect-your-joomla-website
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- cp -v /var/www/html/joomla_dev_01/plugins/system/contentsecuritypolicy/* plugins/system/contentsecuritypolicy/
- cp -v /var/www/html/joomla_dev_01/administrator/language/en-GB/en-GB.plg_system_contentsecuritypolicy.* administrator/language/en-GB/