-
Posts
-
These entries in your htaccess ( for apache ) ( please google for alternative methods on different servers ) – These settings help to increase the security of your site visitors. You can inspect f.e. your site on : https://securityheaders.com
I’ve been working on the topic of finding a solution for WordPress that also passes critical tests for quite some time.
Unfortunately, it was so far that with some settings of the Content Security Policy WordPress did not work in the frontend. And for example Enfold does not show all the options in a correct manner. Some of the settings had to have an “unsave” setting set – e.g. : script-src ‘unsafe-inline’.Now there are new ways to set the CSP to pass the test pages with an A+, and still have the frontend work unaffected.
However, I had to set another setting (referrer policy) a little lower in the security level, so that the Youtube videos created in Enfold also work correctly. With this code here I have done well so far:# ----------------------------------------------------------------------------- # HTTP SECURITY HEADER | Test on: https://securityheaders.com | UPDATE 2022 # ----------------------------------------------------------------------------- <IfModule mod_headers.c> Header set Referrer-Policy "strict-origin-when-cross-origin" Header set X-Frame-Options "sameorigin" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set Content-Security-Policy "upgrade-insecure-requests" Header always set Permissions-Policy "camera=(), fullscreen=(self), geolocation=(self), microphone=(), interest-cohort=()" Header always set Expect-CT "enforce, max-age=21600" </IfModule>by the way – sometimes it needs an apache server restart.
https://securityheaders.com/?q=webers-testseite.de&followRedirects=onyes – the
Content-Security-Policy "upgrade-insecure-requests"is new.The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
@guenni007
Nice work on this.I see warnings in Web Vitals about this under best practice.
Did you just insert this code into the header on every page?
This is part of htaccess file in root folder of your wordpress installation. That file has no file-extension and is an invisible file ( with a dot in front : .htaccess ) – but you can force most of the ftp clients to show those files ( f.e. filezilla under Server Menu ).
Maybe Google does not like the interest-cohort() option – read about that setting and Google FLoC
Thanks Guenni007.
Sorry an oversight on my part. I didnt look at the tags properly its obviously a apache mod_headers not a html tag!
I’ll try this out on a couple of sites.
Thanks for confirming :)Hi Guenni007
I found this thread and have a related problem: https://kriesi.at/support/topic/lighthouse-csp-errors/
The mods can’t help – can you offer any suggestions?
Thanks.
Hi,
@zimbo: We adjusted the directive a bit — specifically the Content-Security-Policy. Please try testing it again:
# ----------------------------------------------------------------------------- # HTTP SECURITY HEADER | Test on: https://securityheaders.com | UPDATE 2022 # ----------------------------------------------------------------------------- <IfModule mod_headers.c> Header set Referrer-Policy "strict-origin-when-cross-origin" Header set X-Frame-Options "sameorigin" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; upgrade-insecure-requests;" Header always set Permissions-Policy "camera=(), fullscreen=(self), geolocation=(self), microphone=(), interest-cohort=()" Header always set Expect-CT "enforce, max-age=21600" </IfModule>Best regards,
Ismaelin the meantime i have some more entries on that in my htaccess file:
<IfModule mod_headers.c> Header set Referrer-Policy "no-referrer" Header set Referrer-Policy "strict-origin-when-cross-origin" Header set X-Frame-Options "sameorigin" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set Content-Security-Policy "upgrade-insecure-requests" Header always set Permissions-Policy "geolocation=(), midi=(),sync-xhr=(),accelerometer=(), gyroscope=(), magnetometer=(), camera=(), fullscreen=(self)" Header set Cross-Origin-Embedder-Policy "unsafe-none" Header set Cross-Origin-Opener-Policy "same-origin" Header set Cross-Origin-Resource-Policy: "same-site" </IfModule>with this setting i do not have neither on pagespeed insights nor on lighthouse ( inside chrome browser ) any errors – just warnings.
you can see results here : https://securityheaders.com/?q=webers-testseite.de&followRedirects=on
Although this is criticized, it does not prevent you from receiving the 100 points ;)
i fear that you will block some scripts by script-src ‘self’ on advanced layerslider.
- You must be logged in to reply to this topic.