November 1, 2019 at 6:53 pm #1153114
i started to secure my different sites by adding different header entries via htaccess file.
when inserting Content-Security-Policy header some options in Enfold Options didn’t work as expected.
# Extra Security Headers <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self';" </IfModule>
i have to find a whitelist now for google maps and some other things – but i thought that all inline css and scripts are loaded over https per default.
you can check your site f.e. here: https://securityheaders.com/
one trouble seems to come from using in plugins the
plugin_dir_url( __FILE__ )for the assets path – sometimes this ends in http loading and mixed content message – and unsecure messages from the browser window.
how to solve this above and f.e. the plugins problematic
Edit: i know that this maybe more or less a wordpress topic – but i do not know a lot of developers and coders like f.e. Günter ;)
maybe he have a hint for me.November 1, 2019 at 8:04 pm #1153121
My efforts for now: i did setup for the admin area an own htaccess file with less restrictions.
That is good for the options in enfold – but there is a lot to do to have a secure site – and white lists for google maps f.e. etc.
If someone has a good example page – it would be nice to see.November 1, 2019 at 9:53 pm #1153138
Ok _ thanks for now :
these are my efforts on that: https://securityheaders.com/?q=https%3A%2F%2Fwebers-webdesign.de%2F
you can see my code inserted in htaccess file on that page.November 5, 2019 at 12:15 pm #1153969
so these settings works very well – but had to be always adjusted to your website.
The best would be to start with a Standard Entry in htaccess file
# Extra Security Headers <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header set Referrer-Policy no-referrer Header set Feature-Policy "camera 'none'; microphone 'none'; payment 'none';" Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;" </IfModule>
Do not insert this between the standard Entry of WordPress itself:
Between # BEGIN WordPress and # END WordPress
After that you look to your site and open the developer tools of your browser – goto console log and look for errors.
If you have a youtube film – f.e. you have to exclude these sources from the Content-Security-Policy
you see that on the code above f.e. the gravatar.com is excluded from img-src .
Google Maps needs to have contact to api etc. pp.November 7, 2019 at 11:26 am #1154577
Why is it necessary to set the script-src to ‘unsafe-inline’ and ‘unsafe-eval’ – in content security policy ?
without it does not work – same thing with style-src .
My whole website is https – i force it via wp-config and on htaccess there are entries too!
But when i set the given CSP to only ‘self’ a lot of things do not work.November 11, 2019 at 9:38 pm #1155764
Gunter will check this, but it seems that this is not only based on us, but also how for example redux is working.
This would need a little bit of digging to find out all the things required to fix, but we appreciate all the input.
BasilisNovember 12, 2019 at 10:26 am #1155949
Most people do forget to set these helpfull headers. Many of the known attack possibilities ( man in the middle , cross-site-scripting etc.) are almost impossible then.
It just needs some reworking, since everyone wants to have different features on his site; (Google Maps, Google Analytics, Youtube, Vimeo, CDNs to present media files).
What I’m only surprised about is that some things I thought were covered by the ‘self’ setting, which is not the case (script loading and stylesheet loading). To have normal outlook of Enfold options i had to set for:
script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’
style-src ‘self’ ‘unsafe-inline’
So I allow scripts and stylesheets to be loaded insecurely inline (http).
My guess was that some of these get parameters ( https://codex.wordpress.org/Determining_Plugin_and_Content_Directories ) are causing insecure loading. Because i force my whole site to be https by wp-config entry – i have these inconsistancies – like the image above shows you.November 22, 2019 at 7:20 pm #1159304
I too have run into issues with with security headers and the use of ‘self.’ I’m guessing it is WordPress related and not theme as I also run sites built on Avada and the same happens. Using the ‘self’ in CSP for some reason blocks internal assets. Adding ‘unsafe-inline’ does work but defeats the object of setting the headers.
I’ve set my CSP to report only while I compile the policies. Here’s what i have below for allowing Google if you need them. I’m setting mine via php rather than htaccess.
header("Content-Security-Policy-Report-Only: default-src 'self' https:; script-src 'self' 'unsafe-inline' ajax.googleapis.com www.google-analytics.com www.google.com www.gstatic.com maps.googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src data: fonts.gstatic.com 'self'; img-src data: www.google-analytics.com 'self' secure.gravatar.com"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+ header("X-Content-Security-Policy-Report-Only: default-src 'self' https:; script-src 'self' 'unsafe-inline' ajax.googleapis.com www.google-analytics.com www.google.com www.gstatic.com maps.googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src data: fonts.gstatic.com 'self'; img-src data: www.google-analytics.com 'self' secure.gravatar.com"); // IE 10+
Hopefully the ‘self’ issue will get resolved.
You must be logged in to reply to this topic.