J4.x

Http Header Management

From Joomla! Documentation

This page contains changes which are not marked for translation.

Other languages:
Deutsch • ‎English • ‎français
Joomla! 
4.0
Tutorial
How to Use the New HTTP Header Management in Joomla 4.0


As of Joomla 4.0, Joomla introduced an HTTP Header Management System. This System is designed to help site owners to configure the HTTP Security Headers from the Backend

In this tutorial, you will find information on how to set up this new system on your site.

Note: The following tutorial is based on the 4.0.0-alpha8 backend template.

Plugin

HTTP Headers (plg_system_httpheaders)

Navigate to System  Plugins  System - HTTP Headers to access the plugin configuration.

Plugin Configuration

Joomla-40-http-headers-plugin-overview-en.png

From this page you can choose to enable that the headers are written to the server configuration files (.htaccess and web.config) and configure whether the following http headers are enabled

Using the "Additional Header" form you can also configure the following headers with its values:

Strict-Transport-Security (HSTS) Configuration

Joomla-40-http-headers-plugin-hsts-en.png

From this page you can choose to enable that the Strict-Transport-Security (HSTS) header as well as configure the max-age value whether subdomains should be included and whether you want to be added to the browsers Preload List.

Component

Content Security Policy (com_csp)

Navigate to System  Content Security Policy to access the Content Security Policy Reports dashboard.

Reports

Joomla-40-content-security-policy-reports-en.png

From this screen the Administrator has a global overview of the collected Content Security Policy reports and has the ability to review, publish, unpublish and delete suggested rules for the Content Security Policy directive.

To learn more, please see: Content Security Policy Interface

Options

Joomla-40-content-security-policy-options-en.png

From this screen you can configure the options of the component like the permissions and specificly the settings for the Content-Security-Policy, including different modes and whether the headers are in read only mode.

To learn more, please see: Content Security Policy Options

Extension Developers

As you might know the big security advantage concerning Content Security Policy jumps in when we can use the Header to block inline JavaScript and inline CSS. But we also know that it is still a requirement to have inline JavaScript and CSS, for that reason we have implemented an nonce support into our JavaScript and CSS APIs using this nonce we can still whitelist your inline JavaScript and CSS but still block any malicious ones to protect our sites.

In order that extensions still work even with strict Content Security Policy enabled, the easiest way is to use the Joomla API to apply your inline JavaScript and CSS, please check the examples below.

Adding JavaScript using the Joomla API

use Joomla\CMS\Factory;

// Add JavaScript from URL
Factory::getDocument()->addScript('https://example.org/sample.js');

// Add inline JavaScript
Factory::getDocument()->addScriptDeclaration('
    window.event("domready", function() {
        alert("An inline JavaScript Declaration");
    });
');

Adding CSS using the Joomla API

use Joomla\CMS\Factory;

// Add Style from URL
Factory::getDocument()->addStyleSheet('https://example.org/sample.css');

// Add inline Style
Factory::getDocument()->addStyleDeclaration('
	body {
		background: #00ff00;
		color: rgb(0,0,255);
	}
');

More details can be found here: