Friday, 29 October, 2021

Easy Content Security Policy (CSP) Headers for WordPress

Security headers can be hard. One of the most troublesome are Content Security Policy (CSP) headers which specify what content (images, scripts, etc) a page is allowed to load. The help protect your site and your users from cross-site scripting (XSS) by ensuring that the content your site loads has been authorized and isn’t malicious.

Historically CSP headers have been difficult for most WordPress developers as there has been no easy way to manage them on your site. That’s no longer the case thanks to a very handy plugin.

Content Security Policy Manager by Patrick Sletvold is a simple plugin that lets you modify each available header to remove any warnings from your site. It allows you to edit individual policies and makes testing them easy by allowing for a “report only” mode that can be toggled with a single click.

Take a look at the screenshots below from this site to see just how easy it can be to manage CSP headers.

{{0xc0034c8550 0xc0034c8550 /images/2021/10/csp-manager-settings.png You can choose to test your settings by setting the plugin to 'Report Only' and look at your developer tools for issues. You can choose to test your settings by setting the plugin to ‘Report Only’ and look at your developer tools for issues. You can choose to test your settings by setting the plugin to ‘Report Only’ and look at your developer tools for issues. 0xc001b706c0} 0 true} — You can choose to test your settings by setting the plugin to 'Report Only' and look at your developer tools for issues.

{{0xc0034c8550 0xc0034c8550 /images/2021/10/csp-manager-settings-2.png When an issue is found simply add the src to the appropriate box and you're done. When an issue is found simply add the src to the appropriate box and you’re done. When an issue is found simply add the src to the appropriate box and you’re done. 0xc0037bc720} 1 true} — When an issue is found simply add the src to the appropriate box and you're done.

Sure it takes a little time to get them all, especially on a more complicated site. It is worth it though as your site will rate better when you do any kind of security test and will be safer for you and your users as you’ll know that nothing can be added without your knowledge.

{{0xc0034c8550 0xc0034c8550 /images/2021/10/Screen-Shot-2021-10-24.jpg The security score from this site on webpagetest.org after implementing CSP Manager. The security score from this site on webpagetest.org after implementing CSP Manager. The security score from this site on webpagetest.org after implementing CSP Manager. 0xc001ae6a80} 2 true} — The security score from this site on webpagetest.org after implementing CSP Manager.