-
Posts
-
i started to secure my different sites by adding different header entries via htaccess file.
when inserting Content-Security-Policy header some options in Enfold Options didn’t work as expected.# Extra Security Headers <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self';" </IfModule>i have to find a whitelist now for google maps and some other things – but i thought that all inline css and scripts are loaded over https per default.
f.e. see how it looks:
you can check your site f.e. here: https://securityheaders.com/
one trouble seems to come from using in plugins the
plugin_dir_url( __FILE__ )for the assets path – sometimes this ends in http loading and mixed content message – and unsecure messages from the browser window.
how to solve this above and f.e. the plugins problematicEdit: i know that this maybe more or less a wordpress topic – but i do not know a lot of developers and coders like f.e. Günter ;)
maybe he have a hint for me.My efforts for now: i did setup for the admin area an own htaccess file with less restrictions.
That is good for the options in enfold – but there is a lot to do to have a secure site – and white lists for google maps f.e. etc.
If someone has a good example page – it would be nice to see.Ok _ thanks for now :
these are my efforts on that: https://securityheaders.com/?q=https%3A%2F%2Fwebers-webdesign.de%2F
you can see my code inserted in htaccess file on that page.so these settings works very well – but had to be always adjusted to your website.
The best would be to start with a Standard Entry in htaccess file# Extra Security Headers <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header set Referrer-Policy no-referrer Header set Feature-Policy "camera 'none'; microphone 'none'; payment 'none';" Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;" </IfModule>Do not insert this between the standard Entry of WordPress itself:
Between # BEGIN WordPress and # END WordPressAfter that you look to your site and open the developer tools of your browser – goto console log and look for errors.
If you have a youtube film – f.e. you have to exclude these sources from the Content-Security-Policy
you see that on the code above f.e. the gravatar.com is excluded from img-src .
Google Maps needs to have contact to api etc. pp.Why is it necessary to set the script-src to ‘unsafe-inline’ and ‘unsafe-eval’ – in content security policy ?
without it does not work – same thing with style-src .
My whole website is https – i force it via wp-config and on htaccess there are entries too!
But when i set the given CSP to only ‘self’ a lot of things do not work.Hi,
Gunter will check this, but it seems that this is not only based on us, but also how for example redux is working.
This would need a little bit of digging to find out all the things required to fix, but we appreciate all the input.Best regards,
BasilisMost people do forget to set these helpfull headers. Many of the known attack possibilities ( man in the middle , cross-site-scripting etc.) are almost impossible then.
It just needs some reworking, since everyone wants to have different features on his site; (Google Maps, Google Analytics, Youtube, Vimeo, CDNs to present media files).What I’m only surprised about is that some things I thought were covered by the ‘self’ setting, which is not the case (script loading and stylesheet loading). To have normal outlook of Enfold options i had to set for:
script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’
style-src ‘self’ ‘unsafe-inline’So I allow scripts and stylesheets to be loaded insecurely inline (http).
My guess was that some of these get parameters ( https://codex.wordpress.org/Determining_Plugin_and_Content_Directories ) are causing insecure loading. Because i force my whole site to be https by wp-config entry – i have these inconsistancies – like the image above shows you.
Hi,
I too have run into issues with with security headers and the use of ‘self.’ I’m guessing it is WordPress related and not theme as I also run sites built on Avada and the same happens. Using the ‘self’ in CSP for some reason blocks internal assets. Adding ‘unsafe-inline’ does work but defeats the object of setting the headers.
I’ve set my CSP to report only while I compile the policies. Here’s what i have below for allowing Google if you need them. I’m setting mine via php rather than htaccess.
header("Content-Security-Policy-Report-Only: default-src 'self' https:; script-src 'self' 'unsafe-inline' ajax.googleapis.com www.google-analytics.com www.google.com www.gstatic.com maps.googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src data: fonts.gstatic.com 'self'; img-src data: www.google-analytics.com 'self' secure.gravatar.com"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+ header("X-Content-Security-Policy-Report-Only: default-src 'self' https:; script-src 'self' 'unsafe-inline' ajax.googleapis.com www.google-analytics.com www.google.com www.gstatic.com maps.googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src data: fonts.gstatic.com 'self'; img-src data: www.google-analytics.com 'self' secure.gravatar.com"); // IE 10+Hopefully the ‘self’ issue will get resolved.
Thanks
TJ
You must be logged in to reply to this topic.