Linux 软件免费装
Banner图

No unsafe-inline

开发者 mociofiletto
更新时间 2024年10月17日 05:02
捐献地址: 去捐款
PHP版本: 7.4 及以上
WordPress版本: 6.6
版权: GPLv2 or later
版权网址: 版权信息

标签

security multisite CSP unsafe-inline Content Security Policy

下载

1.1.1 1.2.0 1.2.1 1.1.0 1.0.1 1.0.2 1.1.2 1.1.4 1.0.0 1.1.3 1.1.5 1.2.2

详情介绍:

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls like the same-origin policy. Looking at National Vulnerability Database run by US NIST, more than 900 (March 2024) vulnerabilities are reported as XSS for Wordpress' plugins and themes. Keeping your site up-to-date with the latest versions of plugins and themes is the first line of defense to ensure your site's security. The second thing to do, is to deploy a strict Content Security Policy.

安装:

Automatic installation
  1. Plugin admin panel and add new option.
  2. Search in the text box No unsafe-inline.
  3. Position yourself on the description of this plugin and select install.
  4. Activate the plugin from the WordPress admin panel.
Manual installation of ZIP file
  1. Download the .ZIP file from this screen.
  2. Select add plugin option from the admin panel.
  3. Select upload option at the top and select the file you downloaded.
  4. Confirm installation and activation of the plugin from the administration panel.
Manual FTP installation
  1. Download the .ZIP file from this screen and unzip it.
  2. FTP access to your folder on the web server.
  3. Copy the whole no-unsafe-inline folder to the /wp-content/plugins/ directory
  4. Activate the plugin from the WordPress admin panel.

屏幕截图:

  • External scripts tab.
  • Inline scripts/styles tab.
  • List of CSP directives managed in Settings tab.
  • A database summary table at the bottom of tools tab.

升级注意事项:

1.1.0
  • Compatible with PHP 8.0
  • Added option to use nonces for external scripts and styles. This is the default setting on new install. If you are upgrading from previous versions and you were using hashes, you need to set the new options to 'nonce' in settings tab.
  • Improved compatibility for third-party plugin javascript
1.0.0 Give it a try!

常见问题:

Is this plugin easy to use?

This is not a click and go tool, but you can follow the instructions and implement a strict CSP.

Has this plugin been widely tested?

No.

Will this plugin impact site's performance?

During capturing phase this plugin needs to write many data to database, so your site can slow down. When the plugin enforces the CSP, it uses a mu-plugin to capture the output of the WordPress process, manipulate it and then send to browser. I don't have any measure of inherent overhead.

Is there another way to implement a strict content security policy in WordPress?

Not in my knowledge.

Do you offer professional support for this plugin?

No. But I do my best to offer free support on wordpress.org support forum in my spare time.

Do you offer professional support for CSP?

No.

更新日志:

1.2.2 1.2.1 Bug fixes 1.2.0 1.1.5 1.1.4 1.1.3 1.1.2 1.1.1 1.1.0 1.0.2 1.0.1 1.0.0