Skip to content

Installing Hyvä CMS

With a license key

TODO

For Contributions and for Technology Partners

If you have access to the Hyvä Commerce CMS GitLab repository, you can install it in development environments using SSH key authentication.

You can configure the git repositories in your root composer.json and use the repositories directly as git repo's beneath your vendor directory. You can check out tags and branches, make commits and push contributions.

  1. Ensure your public SSH key is added to your account on gitlab.hyva.io.

  2. Set minimum-stability to dev in the Magento composer.json 

    composer config minimum-stability dev

  3. Add the Hyvä CMS repository to the Magento composer.json 

    composer config repositories.hyva-themes/commerce-module-cms git git@gitlab.hyva.io:hyva-commerce/module-cms.git

  4. Require the hyva-themes/commerce-module-cms packages using the dev-main branch version: 

    composer require --prefer-source 'hyva-themes/commerce-module-cms:dev-main'

  5. Run bin/magento setup:upgrade

  6. Run tailwind to generate the styles for the Hyvä CMS, replacing vendor/hyva-themes/magento2-default-theme/web/tailwind/ with the path to your theme's web/tailwind folder: 

    bin/magento hyva:config:generate
npm --prefix vendor/hyva-themes/magento2-default-theme/web/tailwind/ ci
npm --prefix vendor/hyva-themes/magento2-default-theme/web/tailwind/ run build-prod

Multi-Store Setup

When using Hyvä CMS Liveview Editor with multiple storefronts on different domains, browsers block iframes by default. Since the editor loads storefront previews inside the Magento admin, you must securely allow embedding within the admin domain for it to work properly.

The correct way to achieve this is to configure Content Security Policy (CSP) frame-ancestors to allow the admin domain.

Production Environments Configure Content Security Policy (CSP) settings to ensure proper iframe functionality between domains. 1. Enable CSP Restrict Mode in the admin area. Add or update the following configuration in `config.xml`: 
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <mode>
                <admin>
                    <report_only>0</report_only>
                </admin>
            </mode>
        </csp>
    </default>
</config>
2. Add or update the CSP Whitelist Rules In a `csp_whitelist.xml` file add the following: 
<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
    <policies>
        <policy id="frame-ancestors">
            <values>
                <value id="magento-admin-domain" type="host">your-admin-domain.com</value>
                <value id="self" type="host">self</value>
                <value id="https" type="host">https:</value>
            </values>
        </policy>
    </policies>
</csp_whitelist>
Local Development Environments A quicker method for local **development environments only**, is to configure the `x-frame-options` header in `app/etc/env.php` to allow iframe embedding: 
'x-frame-options' => 'ALLOW-FROM any-domain.test',
The x-frame-options header should only be used in development and must never be enabled in production. While the [ALLOW-FROM directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options#allow-from_origin) is obsolete, it remains useful in development as it allows viewing iframe-based content without enforcing strict CSP settings. Using this approach for production and staging environments is strongly discouraged, it's a security risk, which would allow any domain to embed the Magento storefronts.