Support » Plugin: Content Security Policy Manager » how to fill sites

  • gadelaza

    (@gadelaza)


    I’m on the report only, had lists of errors from Sentry, but how do I fill the sites in the box? do I use quotes?, do I need https://, does it separated by space or newline?. help..

    Also securityheaders said that csp is not on despite I put several ‘self’, the site also behind Cloudflare tho

    thanks

    • This topic was modified 7 months ago by gadelaza.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Patrick Sletvold

    (@16patsle)

    Hi @gadelaza,

    The values are separated by a space. Only special values like ‘self’ and ‘unsafe-inline’ use quotes. The rest are just domain names, and including https:// is probably a good idea if you only expect that domain to be accessed over HTTPS. There’s a few other tricks you can do too, like using a wildcard character, which MDN has some nice examples for.

    If I remember correctly, Security Headers will note that CSP is not on if you have it in Report-Only mode, since that mode does not affect the security of your site. If that’s the case, you should still see your configured Content Security Policy under raw headers further down the page. Using Cloudflare should not usually be a problem.

    Best regards,
    Patrick Sletvold

    Thread Starter gadelaza

    (@gadelaza)

    Thanks, I managed to get hold of it after realizing this just a manual helper, I used to use secure-header in laravel with bepsvpt/secure-headers. it uses true/false for self / eval / inline, while site list use array

    but there were case like upgrade-insecure where its basically just on and off, but here it has a box or several policies where it has no site input and could be replaced with check/dropdown

    Plugin Author Patrick Sletvold

    (@16patsle)

    Yes, the interface is quite simple right now, and just maps directly to the text value of the directives. I have an upcoming version that has some improvements to some of that. At the very least the upgrade-insecure should really not be a text field, I agree. I’ll probably look into adding dropdowns where it makes sense too.

    Best regards,
    Patrick Sletvold

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘how to fill sites’ is closed to new replies.