HTTP Header Verwaltung

From Joomla! Documentation

This page is a translated version of the page J4.x:Http Header Management and the translation is 47% complete.

Outdated translations are marked like this.
Other languages:
Deutsch • ‎English • ‎français • ‎italiano • ‎Nederlands
Wie man das neue HTTP-Header-Management in Joomla 4.0 verwendet

Mit Joomla 4.0 hat Joomla ein HTTP-Header-Management-System eingeführt. Dieses System wurde entwickelt, um Website-Betreiber zu unterstützen, die HTTP-Sicherheitsheader aus dem Backend zu konfigurieren.

In diesem Tutorial sind Informationen zu finden, wie man das neue System einrichtet.


HTTP Headers (plg_system_httpheaders)

Navigiere zu System  Plugins  System - HTTP Headers um auf die Plugin-Konfiguration zuzugreifen.

Plugin Konfiguration

Auf dieser Seite legt man fest, ob die Header in die Serverkonfigurationsdateien (.htaccess und web.config) geschrieben werden und einstellen, ob die folgenden http-Header aktiviert sind.

Über das Formular "Zusätzlicher Header" kann man auch die folgenden Header mit seinen Werten konfigurieren:


Strict-Transport-Security (HSTS) Konfiguration

Auf dieser Seite kann man festlegen, ob der Strict-Transport-Security (HSTS)-Header aktiviert wird. Ebenfalls kann man hier den max-age Wert konfigurieren, ob Subdomains aufgenommen werden sollen und ob diese in die Browser-Vorlade-Liste aufgenommen werden sollen.



Inhaltssicherheitsrichtlinien (com_csp)

Navigiere zu System  Inhaltssicherheitsrichtlinien, um auf das Dashboard für die Berichte zu Inhaltssicherheitsrichtlinien zuzugreifen.


Von dieser Seite aus hat man als Administrator einen globalen Überblick über die gesammelten Berichte der Inhaltssicherheitsrichtlinien und kann vorgeschlagenen Regeln für die Inhaltssicherheitsrichtlinien überprüfen, veröffentlichen, verbergen und löschen.


Um mehr zu darüber zu lernen, siehe: Inhaltssicherheitsrichtlinien Oberfläche


From this screen you can configure the options of the component like the permissions and specificly the settings for the Content-Security-Policy, including different modes and whether the headers are in read only mode.


To learn more, please see: Content Security Policy Options


When you have configured some HTTP Security Headers directly on the server, then our tooling might create double entries.

Check the output of your HTTP Headers after configuring in the browser console. In Google Chrome: Inspect > Network > the output under Headers). You can than disable the headers that cause double entries. Also check the console of your browser for possible errors.

Extension Developers

As you might know the big security advantage concerning Content Security Policy jumps in when we can use the Header to block all inline JavaScript and inline CSS affecting for example JavaScript event handlers via HTML attributes. So with this browser protection enabled we will block inline JavaScript and inline CSS usage also for your extensions. That protection is not enabled by default but can be enabled by your users.

For 4.0 it would be recommended to get the frontend of your extension running with strict Content Security Policy enabled. For 4.1 compatibility it would be recommended that this also applies to your backend.

We know that it is still a requirement to have inline JavaScript and CSS, for that reason we have implemented nonce and hash support into our Document APIs when you use them the core will make sure they are whitelisted but we will still block any malicious to protect our sites.

Important notes for Extension Developers

Starting with Joomla 4.0 Content Security Policy:

  • is shipped by the core
  • is disabled by default
  • can be enabled by your users
  • it is strongly recommended that your extension frontend works by 4.0 with Content Security Policy enabled
  • it is recommended that your extension backend works by 4.1 with Content Security Policy enabled

With strict Content Security Policy enabled the following features will be blocked:

  • the execution of JavaScript via the HTML event handlers (onXXX handlers like onClick and similar)
  • the execution of in-page JavaScript not passed to the page via the Document API
  • the execution of JavaScript code injected into DOM APIs such as eval()
  • the usage of inline in-page CSS not passed to the page via the Document API
  • the usage of inline CSS using the HTML style attribute

To get your extensions work even with strict Content Security Policy enabled, the easiest way is to use the Document API to apply your inline JavaScript and CSS, please check the examples below.

Adding JavaScript using the Joomla API

use Joomla\CMS\Factory;

/** @var Joomla\CMS\WebAsset\WebAssetManager $wa */
$wa = Factory::getApplication()->getDocument()->getWebAssetManager();

// Add JavaScript from URL
$wa->registerAndUseScript('com_example.sample', 'https://example.org/sample.js', [], ['defer' => true]);

// Add inline JavaScript
    document.addEventListener("DOMContentLoaded", function(event) {
        alert("An inline JavaScript Declaration");

Adding CSS using the Joomla API

use Joomla\CMS\Factory;

/** @var Joomla\CMS\WebAsset\WebAssetManager $wa */
$wa = Factory::getApplication()->getDocument()->getWebAssetManager();

// Add Style from URL
$wa->registerAndUseStyle('com_example.sample', 'https://example.org/sample.css');

// Add inline Style
	body {
		background: #00ff00;
		color: rgb(0,0,255);

More details can be found here:Adding JavaScript and CSS to the page

Additional resources about Content Security Policy and HTTP Headers