Content Security Policy Manager

Description

Content Security Policy Manager is a WordPress plugin that allows you to easily configure Content Security Policy headers for your site. You can have different CSP headers for the admin interface, the frontend for logged in users, and the frontend for regular visitors. The CSP directives can be individually enabled, and each policy can be set to enforce, report or be disabled.

Please note that this plugin offers limited help in figuring out what the contents of the policy should be. It only lets you configure the CSP in a easy to use interface.

FAQ

What is a Content Security Policy?

To quote MDN:

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header.

How do I enable reporting?

Reporting can be enabled by setting the report-uri and/or report-to directives. You will need the URL to a server that can handle these kinds of reports, which there are several of. Report URI is one example of such a service, they have a free tier that allows up to 10 000 reports per month (any more than that is just ignored, no extra cost). They also have a CSP wizard that can help you construct your policy.

Reporting can be enabled both in report only mode and in enforce mode. You can use report-only mode to evaluate the contents of the policy by looking at which resources are reported as blocked.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Content Security Policy Manager” is open source software. The following people have contributed to this plugin.

Contributors

“Content Security Policy Manager” has been translated into 1 locale. Thank you to the translators for their contributions.

Translate “Content Security Policy Manager” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.0

First version.

  • Support for different policies for admin, logged-in frontend and regular visitors.
  • Different policies can have different reporting/enforcing mode.
  • Directives can be configured separately, to easier see what is allowed in which cases.
  • Support for configuring the Report-To header.