Drupal is a registered trademark of Dries Buytaert
cms 2.1.2 Update released for Drupal core (2.1.2)! drupal 11.1.10 Update released for Drupal core (11.1.10)! drupal 10.5.10 Update released for Drupal core (10.5.10)! drupal 10.4.10 Update released for Drupal core (10.4.10)! drupal 11.2.12 Update released for Drupal core (11.2.12)! drupal 11.3.10 Update released for Drupal core (11.3.10)! drupal 10.6.9 Update released for Drupal core (10.6.9)! drupal 10.6.8 Update released for Drupal core (10.6.8)! drupal 11.3.9 Update released for Drupal core (11.3.9)! drupal 11.3.8 Update released for Drupal core (11.3.8)! drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! linkit 7.0.15 Minor update available for module linkit (7.0.15). views_data_export 8.x-1.10 Minor update available for module views_data_export (8.x-1.10).
← All modules

explicit_csp

32 sites Security covered
View on drupal.org

Explicit CSP helps Drupal site builders define and deliver Content Security Policy (CSP) headers with environment-aware, service-based configuration, so third-party integrations can stay secure and maintainable across environments.

Features

  • Service-first CSP configuration model.
  • Environment-aware service blocks (different directives/URLs per environment).
  • Support for both enforce mode and report-only mode.
  • Optional strict-dynamic behavior for script policies.
  • Optional upgrade-insecure-requests toggle.
  • CSP reporting support with report-uri, report-to, and Reporting-Endpoints.
  • Route-level CSP exclusion support for special endpoints.
  • Fallback middleware for responses that miss normal CSP injection.
  • Twig nonce helper for inline script nonce usage.

Use cases:

  • Managing CSP centrally in Drupal instead of web server snippets.
  • Using different API or script endpoints in dev/test/stage/prod.
  • Rolling out CSP safely with report-only first, then enforce.

Post-Installation

  • Enable the module.
  • Configure explicit_csp.settings (config import, settings.php override, or admin form).
  • Set allowed environments, fallback environment, and enforce/report-only mode.
  • Define reporting settings if you want CSP violation reports.
  • Define service blocks under services with environments + directives.
  • Clear caches and validate response headers in browser dev tools.
  • Recommended: start in report-only mode before enabling enforce mode.
  • The module ships with minimal install defaults; site policy should be supplied via site config.
  • The recommended service syntax is: one service key with a list of environment blocks.

Additional Requirements

  • Drupal core 10 or 11.
  • No mandatory external PHP libraries beyond Drupal core dependencies.
  • A reporting endpoint is required only if CSP reporting is enabled.

Recommended modules/libraries

  • CSP report collector or monitoring backend (for example, Sentry-based ingestion).
  • Drush/config workflow tooling for environment-specific policy deployment.

Similar projects

  • CSP is more UI configuration driven and doesn't natively support per-environment configuration or service-based definitions.

Supporting this Module

The developer is available for consulting. Issue reports, merge requests, review feedback, and testing contributions are welcome.

Activity

Total releases
6
First release
Apr 2026
Latest release
2 weeks ago
Release cadence
5 days
Stability
0% stable

Release Timeline

Releases

Version Type Release date
1.0.0-beta2 Pre-release May 5, 2026
1.0.0-beta1 Pre-release May 5, 2026
1.0.0-alpha3 Pre-release Apr 10, 2026
1.0.0-alpha2 Pre-release Apr 9, 2026
1.0.0-alpha1 Pre-release Apr 9, 2026
1.x-dev Dev Apr 8, 2026