Support » Fixing WordPress » How to set the Content Security Policy?

How to set the Content Security Policy?

  • hack3rcon

    (@hack3rcon)


    1 month, 2 weeks ago

    Hello,
    I checked my website with https://securityheaders.com/ and it shows me below warning:
    Image 1
    I changed my Apache setting and added below line to the “httpd.conf” file:
    Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"
    But my website messed up and many settings like buttons and etc not working!
    I changed above line to:
    Header set Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
    But problem not solved and https://securityheaders.com/ showing the same warning!
    I used the Chromium Developer Tools and see below issues:
    Image 2
    How can I solve this problem?

    Thank you.

    • This topic was modified 1 month, 2 weeks ago by hack3rcon.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    1 month, 1 week ago

    The securityheaders warning could be because there is no CSP enforcement, there is only reporting. Include a report_uri directive so you can see what was blocked and why. Then adjust accordingly.

    The reason for the console warning depends on what was actually blocked. Any content from third party sources will need their domains listed along with ‘self’. Note that ‘self’ means the exact domain requested. 'example.com' != 'www.example.com' Be sure to consistently use or not use ‘www’ or any subdomain.

    For more on CSP usage see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

    Thread Starter hack3rcon

    (@hack3rcon)

    1 month, 1 week ago

    Thank you so much.
    I changed that line as below:

    Header set Content-Security-Policy-Report_uri "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"

    And restarted my Apache service. How can I see the report?
    I checked the Developer Tools of Chromium browser:
    Chromium
    But the result of https://securityheaders.com/ site not changed!

    Moderator bcworkz

    (@bcworkz)

    1 month, 1 week ago

    See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#enabling_reporting
    Examine the referenced file via FTP or the hosting file manager.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Views