Content-Security-Policy

  • galix

    (@galix)


    5 years, 7 months ago

    HI Ivanov, congratulation for this great plugin.
    I have few questions.
    As I add base-uri-none through the plugin, my website crashed, but fortunately I manage to recover it.

    A: After this crash I would like to have your adv if possible.
    I am checking security with Webbkoll scan and this is the result: stuff.https://prnt.sc/uodl25
    n.6 (in red) of them needs improvement in CSP.In order from 1 to 6, which of them I can easily improve by using your plugin?

    B: I checked the basic settings on https://zinoui.com/blog/http-headers-for-wordpress. Can you pls check if are ok and will not crash my site again?
    Content-Security-Policy: default-src ‘self’; script-src ‘unsafe-inline’ ‘unsafe-eval’ http:; style-src ‘unsafe-inline’ http:; img-src http: data:; font-src http: data:; sandbox allow-forms allow-scripts
    My site: http://www.wooowlook.com
    Best Regards

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Dimitar Ivanov

    (@zinoui)

    5 years, 7 months ago

    Hi @galix

    A. Actually you can configure all those 6 throughout this plugin. The question is: do you really need this? Setting up the CSP header depends of how your website is build, your code structure, and what external libraries you are using. So, sometimes ‘unsafe-inline’ is just ok.

    B. I don’t know if this configuration will break your site. If you have SSL probably yes. My advise is to start with something simple, for example default-src ‘self’. Most probably this will break your site, so edit your .htaccess manually. Then open your website and DevTools console. There you will find what exactly browser policy is violated. So you can easily add those to your CSP configuration. You need to do this for every page of your website until no errors left. I know this is more Dev approach, but I found it as most effective.

    Plugin Author Dimitar Ivanov

    (@zinoui)

    5 years, 7 months ago

    B. If you don’t feel comfortable to edit .htaccess file manually or just prefer to use the plugin you can do the following:
    (How to configure the script-src)
    Go to every page of your website, hit the view source, and search for <script> tags. If their src attribute point to external location, you need to add it origin to script-src directive. If you have some inline script, add ‘unsafe-inline’. Add ‘self’ to allow scripts that comes from your website.

    Then repeat the same for style-src, font-src, img-src, and so on.

    Hope this helps you.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Content-Security-Policy’ is closed to new replies.

Tags