Support » Plugin: Code Snippets » Is it possible to unset or remove CSP header in admin area?

  • Hi Guys,
    Is it possible to unset or remove the Content Security Policy header in the WP admin area via functions?

    I’ve tried everything I can find – ie. header_remove, header_unset, etc.

    I’ve tried <location . . .> based.

    As it is, the CSP header is a real bugger to implement on WP. You can get it working “ok” on the front-end. But once you log in to the admin area then damn near everything is broken by it.

    I’ve decided I have a love-hate relationship with the CSP header at this point. Especially on WP with all of the inline js and css in WP core, themes and plugins. Nonce is a royal pain to set up and easily hacked if done incorrectly. Hashes are easy to set up but will instantly break as soon the the theme, plugin or core changes.

    At the moment I have mine set in “report only” mode to see if I can work it out in any way without the “unsafe” directive. Otherwise, “unsafe” defeats the whole purpose.

    By the way, my server is Apache with Nginx – PHP 7.3.3 running FPM application served by Nginx. — This means removing this header in admin area via htaccess is not an option.

    I appreciate any and all feedback you have on this.

    Thank you!
    LL

    • This topic was modified 5 months, 1 week ago by  Leopard-Lady.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Shea Bunge

    (@bungeshea)

    If you’re using Nginx, you can set the CSP header in your .conf files using this form:

    add_header Content-Security-Policy "CONFIG";

    Thank you for your reply @bungeshea

    I realize I can set the CSP header via the .conf file.

    My question is: once the CSP header has been set up for the front-end of the site is it possible to “UNSET” or “REMOVE” it in the WP admin area via functions?

    CSP headers render the WP admin area nearly useless.

    I’ve tried everything I can find to use via functions – ie. header_remove, header_unset, <location…> based. Nothing is working.

    Thank you,
    LL

    Plugin Author Shea Bunge

    (@bungeshea)

    Hi LL,

    Can you share what your CSP header configuration in your .conf file?

    It’s possible to set headers for different locations in nginx.

    Hi @bungeshea
    Thank you for your help with this. Very kind of you.

    Here is my CSP header – currently in report only mode as I continue to fine tune it AND figure out how to unset it in the admin area:

    add_header Content-Security-Policy-Report-Only "default-src https:; script-src 'self' 'unsafe-inline' https: www.google-analytics.com; style-src 'self' 'unsafe-inline' cdn.mysite.com; img-src 'self' cdn.mysite.com https: www.google-analytics.com; font-src 'self' cdn.mysite.com; connect-src 'self' www.google-analytics.com; child-src 'self'; form-action 'self' https:; upgrade-insecure-requests; block-all-mixed-content; report-uri https://bmoc.report-uri.com/r/d/csp/wizard;";

    Thank you,
    LL

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.