Custom CSP – Protect Your Site
Description:
This plugin helps secure your Joomla website by controlling which external services and CDNs (like Google Fonts, YouTube, or LinkedIn) are allowed to load. It adds an extra layer of protection by telling the browser what’s safe and what to block.
You can turn common sources on or off with simple yes/no options, and even add your own trusted domains (like your CDN or external font/image host). No coding needed — just click and save.
Example: Want to embed a YouTube video or load Google Fonts? Just toggle it on! Download this Plugin
Technical Description
Plugin Name:
plgSystemCustomCsp – Joomla 5 Content Security Policy Manager
Purpose:
This Joomla 5 System Plugin injects a customizable Content-Security-Policy (CSP) HTTP header into the site's frontend, helping prevent XSS attacks, data injection, and unauthorized loading of external assets.
Key Features:
- Fully configurable via Joomla admin UI (no code editing)
- Toggle CSP access for common external resources:
- Google Fonts
- Font Awesome CDN
- jQuery CDN
- Bootstrap CDN
- LinkedIn embeds/widgets
- YouTube videos
- Animate.css
- Advanced mode: Admins can specify custom domain lists (comma-separated) per directive:
- script-src
- style-src
- font-src
- img-src
- frame-src
Implementation Notes:
- Custom CSP – Protect Your Site is enforced only on the frontend (site client).
- All domains are sanitized and appended to appropriate CSP directives at runtime.
- Final header is injected via onAfterInitialise() hook.
Output Example:
Content-Security-Policy:
default-src 'self';
script-src 'self' https://code.jquery.com https://cdn.example.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
img-src 'self' data: https://images.example.org;
frame-src https://www.youtube.com;
connect-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self';
