-
Posts
-
These entries in your htaccess ( for apache ) ( please google for alternative methods on different servers ) – These settings help to increase the security of your site visitors. You can inspect f.e. your site on : https://securityheaders.com
I’ve been working on the topic of finding a solution for WordPress that also passes critical tests for quite some time.
Unfortunately, it was so far that with some settings of the Content Security Policy WordPress did not work in the frontend. And for example Enfold does not show all the options in a correct manner. Some of the settings had to have an “unsave” setting set – e.g. : script-src ‘unsafe-inline’.Now there are new ways to set the CSP to pass the test pages with an A+, and still have the frontend work unaffected.
However, I had to set another setting (referrer policy) a little lower in the security level, so that the Youtube videos created in Enfold also work correctly. With this code here I have done well so far:# ----------------------------------------------------------------------------- # HTTP SECURITY HEADER | Test on: https://securityheaders.com | UPDATE 2022 # ----------------------------------------------------------------------------- <IfModule mod_headers.c> Header set Referrer-Policy "strict-origin-when-cross-origin" Header set X-Frame-Options "sameorigin" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set Content-Security-Policy "upgrade-insecure-requests" Header always set Permissions-Policy "camera=(), fullscreen=(self), geolocation=(self), microphone=(), interest-cohort=()" Header always set Expect-CT "enforce, max-age=21600" </IfModule>by the way – sometimes it needs an apache server restart.
https://securityheaders.com/?q=webers-testseite.de&followRedirects=onyes – the
Content-Security-Policy "upgrade-insecure-requests"is new.The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
@guenni007
Nice work on this.I see warnings in Web Vitals about this under best practice.
Did you just insert this code into the header on every page?
This is part of htaccess file in root folder of your wordpress installation. That file has no file-extension and is an invisible file ( with a dot in front : .htaccess ) – but you can force most of the ftp clients to show those files ( f.e. filezilla under Server Menu ).
Maybe Google does not like the interest-cohort() option – read about that setting and Google FLoC
Thanks Guenni007.
Sorry an oversight on my part. I didnt look at the tags properly its obviously a apache mod_headers not a html tag!
I’ll try this out on a couple of sites.
Thanks for confirming :)Hi Guenni007
I found this thread and have a related problem: https://kriesi.at/support/topic/lighthouse-csp-errors/
The mods can’t help – can you offer any suggestions?
Thanks.
Hi,
@zimbo: We adjusted the directive a bit — specifically the Content-Security-Policy. Please try testing it again:
# ----------------------------------------------------------------------------- # HTTP SECURITY HEADER | Test on: https://securityheaders.com | UPDATE 2022 # ----------------------------------------------------------------------------- <IfModule mod_headers.c> Header set Referrer-Policy "strict-origin-when-cross-origin" Header set X-Frame-Options "sameorigin" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; upgrade-insecure-requests;" Header always set Permissions-Policy "camera=(), fullscreen=(self), geolocation=(self), microphone=(), interest-cohort=()" Header always set Expect-CT "enforce, max-age=21600" </IfModule>Best regards,
Ismaelin the meantime i have some more entries on that in my htaccess file:
<IfModule mod_headers.c> Header set Referrer-Policy "no-referrer" Header set Referrer-Policy "strict-origin-when-cross-origin" Header set X-Frame-Options "sameorigin" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set Content-Security-Policy "upgrade-insecure-requests" Header always set Permissions-Policy "geolocation=(), midi=(),sync-xhr=(),accelerometer=(), gyroscope=(), magnetometer=(), camera=(), fullscreen=(self)" Header set Cross-Origin-Embedder-Policy "unsafe-none" Header set Cross-Origin-Opener-Policy "same-origin" Header set Cross-Origin-Resource-Policy: "same-site" </IfModule>with this setting i do not have neither on pagespeed insights nor on lighthouse ( inside chrome browser ) any errors – just warnings.
you can see results here : https://securityheaders.com/?q=webers-testseite.de&followRedirects=on
Although this is criticized, it does not prevent you from receiving the 100 points ;)
i fear that you will block some scripts by script-src ‘self’ on advanced layerslider.
by the way – i do not know if this extension does exist for other browsers – but you can install for Firefox this:
https://addons.mozilla.org/en-US/firefox/addon/content-security-policy-gen/
For Chrom Users: https://chromewebstore.google.com/detail/content-security-policy-c/ahlnecfloencbkpfnpljbojmjkfgnmdc?hl=en- Install the “Content Security Policy Gen” extension.
- Visit the website for which you want to generate CSP rules.
- Click on the extension icon in the browser toolbar to initiate the site scan.
The extension will scan the website and generate recommended CSP rules based on the resources present on the site.
Copy the generated CSP rules from the extension’s output.do not forget to add as last the upgrade-insecure-requests ( This is missing from the results )
The firefox seems to be a little bit more detailed. And does not add a report uri to the extension developer ;)Some features are deprecated – like block-all-mixed-content – just remove that. Do not this with upgrade-insecure-requests
without the
script-src 'unsafe-inline'the layerslider does not work – we should ask why
The biggest issue is that a number of plugins inject inline styles or scripts without nonces, which would require unsafe-inline. And that is sad!i contacted kreaturamedia – here is the answer:
Thank you for reaching out to us and for sharing your concerns about using LayerSlider with your current Content Security Policy (CSP) settings. We’re sorry to hear about the challenges you’ve encountered, and we truly understand your desire to implement stricter security measures on your website.
Unfortunately, for technical reasons, LayerSlider relies on inline scripts to function properly. This is a common practice in the WordPress ecosystem, as nearly all plugins, themes, and even WordPress itself make use of inline scripts. While limiting or disallowing inline scripts can offer certain security advantages, they serve an essential purpose, especially for dynamically generated content. Inline scripts are not inherently a security risk.
If you’re looking for a potential solution, you might consider using a third-party optimization plugin. These tools can consolidate and compress scripts, including inline scripts, into external files. This approach could help you achieve a balance between stricter CSP settings and maintaining the functionality of your website.
i asked them if it might be possible to include nonce to their inline scripts. Hope they will answer soon.
- You must be logged in to reply to this topic.