Is it possible to unset or remove CSP header in admin area?

  • Resolved Leopard-Lady

    (@leopard-lady)


    7 years ago

    Hi Guys,
    Is it possible to unset or remove the Content Security Policy header in the WP admin area via functions?

    I’ve tried everything I can find – ie. header_remove, header_unset, etc.

    I’ve tried <location . . .> based.

    As it is, the CSP header is a real bugger to implement on WP. You can get it working “ok” on the front-end. But once you log in to the admin area then damn near everything is broken by it.

    I’ve decided I have a love-hate relationship with the CSP header at this point. Especially on WP with all of the inline js and css in WP core, themes and plugins. Nonce is a royal pain to set up and easily hacked if done incorrectly. Hashes are easy to set up but will instantly break as soon the the theme, plugin or core changes.

    At the moment I have mine set in “report only” mode to see if I can work it out in any way without the “unsafe” directive. Otherwise, “unsafe” defeats the whole purpose.

    By the way, my server is Apache with Nginx – PHP 7.3.3 running FPM application served by Nginx. — This means removing this header in admin area via htaccess is not an option.

    I appreciate any and all feedback you have on this.

    Thank you!
    LL

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Shea Bunge

    (@bungeshea)

    6 years, 11 months ago

    If you’re using Nginx, you can set the CSP header in your .conf files using this form:

    add_header Content-Security-Policy "CONFIG";

    Thread Starter Leopard-Lady

    (@leopard-lady)

    6 years, 11 months ago

    Thank you for your reply @bungeshea

    I realize I can set the CSP header via the .conf file.

    My question is: once the CSP header has been set up for the front-end of the site is it possible to “UNSET” or “REMOVE” it in the WP admin area via functions?

    CSP headers render the WP admin area nearly useless.

    I’ve tried everything I can find to use via functions – ie. header_remove, header_unset, <location…> based. Nothing is working.

    Thank you,
    LL

    Plugin Author Shea Bunge

    (@bungeshea)

    6 years, 11 months ago

    Hi LL,

    Can you share what your CSP header configuration in your .conf file?

    It’s possible to set headers for different locations in nginx.

    Thread Starter Leopard-Lady

    (@leopard-lady)

    6 years, 11 months ago

    Hi @bungeshea
    Thank you for your help with this. Very kind of you.

    Here is my CSP header – currently in report only mode as I continue to fine tune it AND figure out how to unset it in the admin area:

    add_header Content-Security-Policy-Report-Only "default-src https:; script-src 'self' 'unsafe-inline' https: www.google-analytics.com; style-src 'self' 'unsafe-inline' cdn.mysite.com; img-src 'self' cdn.mysite.com https: www.google-analytics.com; font-src 'self' cdn.mysite.com; connect-src 'self' www.google-analytics.com; child-src 'self'; form-action 'self' https:; upgrade-insecure-requests; block-all-mixed-content; report-uri https://bmoc.report-uri.com/r/d/csp/wizard;";

    Thank you,
    LL

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Is it possible to unset or remove CSP header in admin area?’ is closed to new replies.