Content-Security-Policy “upgrade-insecure-requests” vs “report-uri …”
-
Hi,
Can you please tell me what is more secure or the diference bettewn this two?
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set Content-Security-Policy "report-uri https://mydomain.com"Thank you
-
Hi Jose, I am Andrea and I will assist you in the topic you opened. As the first thing I would like to thank you for installing the Headers Security Advanced & HSTS WP plugin.
Reading your request you are asking which of the following “Content-Security-Policy” headers is more secure.
The advice is always to evaluate which headers and parameters to choose. In the case of the Headers Security Advanced & HSTS WP plugin the following parameter is used (Header always set Content-Security-Policy “report-uri https://mydomain.com”) for a simple reason that I have carefully evaluated in past versions of the plugin and will explain below.
The upgrade-insecure-requests is a directive that does not guarantee that users visiting your “mydomain.com” site via links on third-party sites and will not be upgraded to HTTPS for top-level browsing and therefore does not replace the Strict-Transport-Security(HSTS) header, which is already used by the Headers Security Advanced & HSTS WP plugin with a max-age configuration to ensure that users are so not subject to SSL stripping attacks.
This is the reason why I preferred not to use “upgrade-insecure-requests” and instead used other headers with also using the HSTS.
if you have any further doubts or questions please do not hesitate to contact me.
- The topic ‘Content-Security-Policy “upgrade-insecure-requests” vs “report-uri …”’ is closed to new replies.
