Drupal is a registered trademark of Dries Buytaert
drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! bootstrap 8.x-3.40 Minor update available for theme bootstrap (8.x-3.40). menu_link_attributes 8.x-1.7 Minor update available for module menu_link_attributes (8.x-1.7). editoria11y 2.2.22 Minor update available for module editoria11y (2.2.22). ai 1.2.13 Minor update available for module ai (1.2.13). ai 1.3.2 Minor update available for module ai (1.3.2). moderated_content_bulk_publish 2.0.51 Minor update available for module moderated_content_bulk_publish (2.0.51). moderated_content_bulk_publish 2.0.50 Minor update available for module moderated_content_bulk_publish (2.0.50). editoria11y 2.2.21 Minor update available for module editoria11y (2.2.21). eca 3.1.0 Minor update available for module eca (3.1.0). sophron 3.1.1 Minor update available for module sophron (3.1.1). ai 1.3.1 Minor update available for module ai (1.3.1). seven 2.0.0-beta6 New beta version released for theme seven (2.0.0-beta6). seven 1.0.1-beta1 First beta version released for theme seven (1.0.1-beta1). ui_patterns 8.x-1.15 Minor update available for module ui_patterns (8.x-1.15). layout_paragraphs 3.0.0-beta1 First beta version released for module layout_paragraphs (3.0.0-beta1). raven 7.3.8 Minor update available for module raven (7.3.8). bamboo_twig 6.0.7 Minor update available for module bamboo_twig (6.0.7).
← All modules

explicit_csp

No security coverage
View on drupal.org

Explicit CSP helps Drupal site builders define and deliver Content Security Policy (CSP) headers with environment-aware, service-based configuration, so third-party integrations can stay secure and maintainable across environments.

Features

  • Service-first CSP configuration model.
  • Environment-aware service blocks (different directives/URLs per environment).
  • Support for both enforce mode and report-only mode.
  • Optional strict-dynamic behavior for script policies.
  • Optional upgrade-insecure-requests toggle.
  • CSP reporting support with report-uri, report-to, and Reporting-Endpoints.
  • Route-level CSP exclusion support for special endpoints.
  • Fallback middleware for responses that miss normal CSP injection.
  • Twig nonce helper for inline script nonce usage.

Use cases:

  • Managing CSP centrally in Drupal instead of web server snippets.
  • Using different API or script endpoints in dev/test/stage/prod.
  • Rolling out CSP safely with report-only first, then enforce.

Post-Installation

  • Enable the module.
  • Configure explicit_csp.settings (config import, settings.php override, or admin form).
  • Set allowed environments, fallback environment, and enforce/report-only mode.
  • Define reporting settings if you want CSP violation reports.
  • Define service blocks under services with environments + directives.
  • Clear caches and validate response headers in browser dev tools.
  • Recommended: start in report-only mode before enabling enforce mode.
  • The module ships with minimal install defaults; site policy should be supplied via site config.
  • The recommended service syntax is: one service key with a list of environment blocks.

Additional Requirements

  • Drupal core 10 or 11.
  • No mandatory external PHP libraries beyond Drupal core dependencies.
  • A reporting endpoint is required only if CSP reporting is enabled.

Recommended modules/libraries

  • CSP report collector or monitoring backend (for example, Sentry-based ingestion).
  • Drush/config workflow tooling for environment-specific policy deployment.

Similar projects

  • CSP is more UI configuration driven and doesn't natively support per-environment configuration or service-based definitions.

Supporting this Module

The developer is available for consulting. Issue reports, merge requests, review feedback, and testing contributions are welcome.

Activity

Total releases
1
First release
Apr 2026
Latest release
23 hours ago
Release cadence
Stability
0% stable

Releases

Version Type Release date
1.x-dev Dev Apr 8, 2026