Support » Plugin: HTTP Headers » Content Security Policy Settings

  • Resolved bulls_shark

    (@bulls_shark)


    Dear Support Team, Unfortunately, I am still very inexperienced with the settings and hope that you can help me and can offer me suitable settings for this option here.

    We use the Revolution Slider, WPBakery Page Builder and have included videos from Youtube and Vimeo and use google fonts or partially self-hosted fonts on some websites as well as data from https://cdn.jsdelivr.net.

    Thank you for your help and time and thanks for the plugin 🙂

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Dimitar Ivanov

    (@zinoui)

    Hi @bulls_shark

    Setting the CSP header seems to be a hard task because it depends of resources used by each particular web-site/page. Thats why there is no a standard recommendation.

    My advice is not to try to setting up all the values at once. Start small. After each change look for errors at the DevTools browser console. Those are enough descriptive to find out which exactly directive to fix.

    However, from your description I will propose this settings:

    default-src 'self'
    script-src https://cdn.jsdelivr.net 'self'
    style-src https://cdn.jsdelivr.net https://fonts.googleapis.com 'self'
    img-src data: 'self'
    font-src https://fonts.gstatic.com data: 'self'
    child-src 'self'
    connect-src 'self'

    Hope this helps you.
    Dimitar

    bulls_shark

    (@bulls_shark)

    My current settings:

    default-src “self”
    script-src “Self” “unsafe-inline” https://cdn.jsdelivr.net
    style-src “self” “unsafe-inline” https://fonts.googleapis.com fonts.gstatic.com data:
    img-src “self”
    connect-src “self”
    font-sec “self” https://fonts.googleapis.com fonts.gstatic.com
    media-src “self”
    child-src “self”
    object-src “none”
    frame-src “self”
    block-all-mixed-content

    When testing the website https://securityheaders.com I reach the rating A, there is only indicated that ‘unsafe-inline’ is critical but needed, otherwise the website does not work.

    I am hosting my own fonts but suddenly I am shown: https://fonts.googleapis.com/css?family=New2018%3A300%2C400%2C700&ver=5.2.2 net :: ERR_ABORTED 400

    Why he suddenly loads the local fonts on google is unclear to me.

    Thanks for the support!

    bulls_shark

    (@bulls_shark)

    Hello Dimitar thanks for the quick response and your support!

    I have now adopted your settings. So far, it almost works, unfortunately the Wpbakery Page Builder is no longer in the backend.

    Failed to load resource: the server responded with a status of 400 (https://fonts.googleapis.com/css?family=New2018%3A300%2C400%2C700&ver=5.2.2). The fonts are registered in the backend itself.

    Best regards

    bulls_shark

    (@bulls_shark)

    Hello Wpbakery Page Builder is running with these settings:
    script-src “Self” “unsafe-inline” “unsafe-eval”
    style-src “Self” “unsafe-inline”

    The fonts I have now loaded directly over google. Unfortunately, I find no way that he accepted the self-hosted fonts without error and this does not try to load from google.

    Maybe someone still has a solution?

    Thanks again for the help!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Content Security Policy Settings’ is closed to new replies.