WP-Admin access

  • Resolved kjc041056

    (@kjc041056)


    3 years, 2 months ago

    I have SeaSP set in Report Only and Error Correction on. I am also using WP Cerber for security and have changed the login URL.

    In the Cerber logs – I see repeated occurrences of the following. These seem to be coming from genuine users who have accessed pages on our site :

    /wp-admin/admin-ajax.php?nonce=xxxxxx – the nonce value is the same for every site and of course not xxxxxx

    The Form Field action = Blue_Triangle_Automated_CSP_Free_Send_CSP.

    The reply to these is always a 403.

    SeaSP appears to be collecting CSP Violation data as this shows up ok.

    Is this behaviour to be expected ??

    Thanks.

    • This topic was modified 3 years, 2 months ago by kjc041056.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author bluetriangle

    (@bluetriangle)

    3 years, 2 months ago

    I’m so sorry for the delay!

    When error collection is turned on the form submits two callbacks. One is collected for WP Users who are logged-in and the other is collected for non-logged-in Users. When someone visits a site with SeaSp installed and error collection on violations gets submitted to two places. When the violation gets submitted for a visitor that is not logged-in the logged-in call back will give a 403 response.

    This is normal and should not cause problems but we should not be calling both callbacks for users that are not logged in and we will fix this in the next release. We’ll be updating our plugin at the beginning of next week.

    Thread Starter kjc041056

    (@kjc041056)

    3 years, 2 months ago

    Thanks for getting back to me. I have temporarily stopped working on this due to other issues but intend to get back next week.

    This will be the first CSP I have developed, so I am still in learning mode. We are hosted on BigScoots which uses NGINX. Are there any specific considerations I should be aware of ?. I believe that the CSP is not stored in the htaccess file but in NGINX config files ???

    Thanks,
    Keith.

    Plugin Author bluetriangle

    (@bluetriangle)

    3 years, 2 months ago

    Hey there,

    Thank you for using SeaSP content security manager. We made this plugin for people just like you who are new to the idea of having a CSP on their site. The content security policy (CSP) that is generated by our plugin is automatically deployed to the security headers of your website. There is no need to change the .htaccess file or any other files on your site. There are several ways to deploy a CSP but in our experience with enterprise level clients we have found the most secure way is to directly implement the CSP into a websites security headers the way our plugin does. once you have collected all the violations on your site you can turn off error collection an turn on blocking mode to be fully protected. If you have anymore questions please dont hesitate to ask. Also, if you have the time could you please leave a review either here or on our website seasp.bluetriangle.com we would greatly appreciate it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WP-Admin access’ is closed to new replies.