Content-Security-Policy

  • Resolved jpollie

    (@jpollie)


    8 years, 8 months ago

    Dear Http Headers,

    I tested my site using securityheaders.io

    The only thing missing is the Content-Security-Policy
    Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

    Can you explain how to set this up with the plugin.

    • This topic was modified 8 years, 8 months ago by jpollie.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Anonymous User 15708813

    (@anonymized-15708813)

    8 years, 8 months ago

    Setting the CSP will depend on the needs of your website, so there’s no answer that fits all or even most. I suggest doing some reading on how CSP works and the directives you can choose. No one can really tell you the right answer, and it may take experimentation.

    Plugin Author Dimitar Ivanov

    (@zinoui)

    8 years, 8 months ago

    You can try one of the following patterns:
    1. Set the value of the “default-src” directive to ‘self’. Leave the other directives with empty values.
    2. Then browse your website (page by page) while the DevTools console is open (F12). If your CSP header needs adjustment an error will appear in the Console tab. The error is enough descriptive to change the CSP header.

    or

    1. The same as above, in addition, make sure the “Report-Only” is checked.
    2. Set the “report-uri” directive. In case of an error, the browser will log it to that URL. If you’re unable to implement your own handler use a third-party service.
    3. Periodically read the log and adjust the CSP header.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Content-Security-Policy’ is closed to new replies.

Tags