Tagged: 

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #1153114

    i started to secure my different sites by adding different header entries via htaccess file.
    when inserting Content-Security-Policy header some options in Enfold Options didn’t work as expected.

    # Extra Security Headers
    <IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self';"
    </IfModule>

    i have to find a whitelist now for google maps and some other things – but i thought that all inline css and scripts are loaded over https per default.

    f.e. see how it looks:

    you can check your site f.e. here: https://securityheaders.com/

    one trouble seems to come from using in plugins the plugin_dir_url( __FILE__ ) for the assets path – sometimes this ends in http loading and mixed content message – and unsecure messages from the browser window.
    how to solve this above and f.e. the plugins problematic

    Edit: i know that this maybe more or less a wordpress topic – but i do not know a lot of developers and coders like f.e. Günter ;)
    maybe he have a hint for me.

    #1153121

    My efforts for now: i did setup for the admin area an own htaccess file with less restrictions.
    That is good for the options in enfold – but there is a lot to do to have a secure site – and white lists for google maps f.e. etc.
    If someone has a good example page – it would be nice to see.

    #1153138

    Ok _ thanks for now :
    these are my efforts on that: https://securityheaders.com/?q=https%3A%2F%2Fwebers-webdesign.de%2F
    you can see my code inserted in htaccess file on that page.

    #1153969

    so these settings works very well – but had to be always adjusted to your website.
    The best would be to start with a Standard Entry in htaccess file

    # Extra Security Headers
    <IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header set Referrer-Policy no-referrer
    Header set Feature-Policy "camera 'none'; microphone 'none'; payment 'none';"
    Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
    </IfModule>

    Do not insert this between the standard Entry of WordPress itself:
    Between # BEGIN WordPress and # END WordPress

    After that you look to your site and open the developer tools of your browser – goto console log and look for errors.
    If you have a youtube film – f.e. you have to exclude these sources from the Content-Security-Policy
    you see that on the code above f.e. the gravatar.com is excluded from img-src .
    Google Maps needs to have contact to api etc. pp.

    #1154577

    Why is it necessary to set the script-src to ‘unsafe-inline’ and ‘unsafe-eval’ – in content security policy ?

    without it does not work – same thing with style-src .

    My whole website is https – i force it via wp-config and on htaccess there are entries too!
    But when i set the given CSP to only ‘self’ a lot of things do not work.

    #1155764

    Hi,

    Gunter will check this, but it seems that this is not only based on us, but also how for example redux is working.
    This would need a little bit of digging to find out all the things required to fix, but we appreciate all the input.

    Best regards,
    Basilis

    #1155949

    Most people do forget to set these helpfull headers. Many of the known attack possibilities ( man in the middle , cross-site-scripting etc.) are almost impossible then.
    It just needs some reworking, since everyone wants to have different features on his site; (Google Maps, Google Analytics, Youtube, Vimeo, CDNs to present media files).

    What I’m only surprised about is that some things I thought were covered by the ‘self’ setting, which is not the case (script loading and stylesheet loading). To have normal outlook of Enfold options i had to set for:

    script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’
    style-src ‘self’ ‘unsafe-inline’

    So I allow scripts and stylesheets to be loaded insecurely inline (http).

    My guess was that some of these get parameters ( https://codex.wordpress.org/Determining_Plugin_and_Content_Directories ) are causing insecure loading. Because i force my whole site to be https by wp-config entry – i have these inconsistancies – like the image above shows you.

    #1159304

    Hi,

    I too have run into issues with with security headers and the use of ‘self.’ I’m guessing it is WordPress related and not theme as I also run sites built on Avada and the same happens. Using the ‘self’ in CSP for some reason blocks internal assets. Adding ‘unsafe-inline’ does work but defeats the object of setting the headers.

    I’ve set my CSP to report only while I compile the policies. Here’s what i have below for allowing Google if you need them. I’m setting mine via php rather than htaccess.

    header("Content-Security-Policy-Report-Only: default-src 'self' https:; script-src 'self' 'unsafe-inline' ajax.googleapis.com www.google-analytics.com www.google.com www.gstatic.com maps.googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src data: fonts.gstatic.com 'self'; img-src data: www.google-analytics.com 'self' secure.gravatar.com"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+
    header("X-Content-Security-Policy-Report-Only: default-src 'self' https:; script-src 'self' 'unsafe-inline' ajax.googleapis.com www.google-analytics.com www.google.com www.gstatic.com maps.googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src data: fonts.gstatic.com 'self'; img-src data: www.google-analytics.com 'self' secure.gravatar.com"); // IE 10+

    Hopefully the ‘self’ issue will get resolved.

    Thanks

    TJ

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.