HTTP Security Headers & CSP

Browser-level security is enforced via HTTP headers sent by the router.php.

Content Security Policy (CSP) & Nonces

To prevent unauthorized script execution, Pragma CMS uses a Nonce-based CSP. If you add inline JavaScript in your PHP templates, you must attach the global nonce:

PHP

<script nonce="<?= $GLOBALS['csp_nonce'] ?>">
    console.log("This script is authorized by the CSP.");
</script>

See the admin panel → General Settings → Security section for additional settings.

Static Headers

Pragma CMS enforces a baseline set of security headers on every request:

X-Frame-Options: SAMEORIGIN
Prevents Clickjacking by blocking iframe embedding from external domains.
X-Content-Type-Options: nosniff
Prevents MIME-type sniffing and reduces attack surface from malformed files.
Referrer-Policy: strict-origin-when-cross-origin
Limits referrer leakage when navigating to external sites.
Permissions-Policy: microphone=(), camera=()
Disables access to sensitive browser APIs unless explicitly required.
Cache-Control: no-cache, must-revalidate
Ensures HTML is always revalidated while still allowing efficient asset caching elsewhere.