Linux 软件免费装
Banner图

WP Content Security Plugin

开发者 dyland
更新时间 2018年2月11日 01:28
捐献地址: 去捐款
PHP版本: 5.3 及以上
WordPress版本: 4.9.4
版权: GPLv2 or later
版权网址: 版权信息

标签

csp content security policy

下载

1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 2.0 2.1 2.2 2.3

详情介绍:

Content Security Policy (CSP) is a W3C guideline to prevent cross-site scripting (XSS) and related attacks. XSS allows other people to run scripts on your site, making it no longer your application running on your site, and opens your whole domain to attack due to "Same-Origin Policy" - XSS anywhere on your domain is XSS everywhere on your domain. (see https://www.youtube.com/watch?v=WljJ5guzcLs) CSP tells your browser to push least-privilege environment on your application, allowing the client to only use resources from trusted domains and block all resources from anywhere else. Adding CSP to your site will protect your visitors from: This plugin will help you set your CSP settings and will add them to the page the visitor requested. Policy violations will be logged in a database table which can be viewed via an admin page that supplies all the violations, along with counts. Buttons easily allow you to add the sites to your headers or to ignore them. This plugin also allows you to ignore sites that repeatedly violate your policies. For example, some tracking images will show as violating your policies, but you still don't want them to run, therefore you can block the site from showing up in your logs - note, however, that the browser will still call your server and your server will still spend resources processing the call. In addition, this plugin can help you to get on the HSTS Preload list - See https://hstspreload.org/ for details. CSP Directives CSP allows you to control where your visitors' browser can run code from. The W3C specification allows for the following directives: CSP Entry Syntax Note - with version 3 of the CSP specification there has been a move to 'strict-dynamic' - see the Upgrade Notice section for more information. Each directive can take one or more of the following values: Security Headers In addition to the CSP headers, there are other security headers supported, including:

安装:

Before You Start I recommend you move all styles and scripts into include files - this will allow WP_CSP to approve the included file and will mean you can stop the browser running scripts that have been added to the page from an unknown source. Read the ** Upgrade notice** for information on CSP version 3. To Install Follow the standard Wordpress plugin installation procedures. e.g.
  1. Upload plugin-name.php to the /wp-content/plugins/ directory
  2. Activate the plugin through the 'Plugins' menu in WordPress
  3. Visit the settings under 'Settings->Content Security Policy Options'. I recommend you run this plugin in 'report only' mode for a little while to help you set your CSP settings correctly.
To Upgrade See the new CSP V3 tab on the admin page.

升级注意事项:

See the new CSP V3 tab on the admin page.

常见问题:

What is the best way to set a content security policy

When you first turn on CSP, put into report-only mode and build the basic rules for your site. After about a week, turn off report-only and go to enforce rules. If you want to implement the latest W3C version of CSP - version 3 Google recommends - set the following for default-src, script-src, and style-src: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http: (single quotes are required) This will allow modern browsers to run the latest version of CSP with nonces, etc. and older browsers to just work without restrictions. If you're going to run CSP v2, one good way of building a policy for a site would be to begin with a default-src of 'self', and to build up a policy from there that contains only those resource types which are actually in use for the page you'd like to protect. If you don't use webfonts, for instance, there's no reason to specify a source list for font-src; specifying only those resource types a page uses ensures that the possible attack surface for that page remains as small as possible.

Should I set 'self' in all options

Usually you will trust your own site for all directives; however, I usually only add 'self' when it shows up as a violation. None of these directives is inherited, except some directives will default to 'default-src' if not set explicitly.

Should I set '*' in all options?

Usually you would want to keep security as strict as possible while still allowing your application to run. Therefore, '*' should be avoided.

Can I have a different policy for each page?

The W3C specification allows for a different policy for each page, this plugin was not written with page-level security capability.

Can I have some options enforced and some report-only?

The W3C specification allows for this functionality; this plugin does not support this capability.

No errors are getting logged

  1. First check that your site is producing CSP errors by starting the developer tools in your browser (usually F12) and checking for messages in the console output.
  2. If nothing is in the console output then check the page has a CSP header by looking at the page in the 'network' tab of the dev tools. Check the 'response' has a header called 'content-security-policy' or 'content-security-policy-report-only' - if this is misisng then the plugin is not running or CSP is not enabled.
  3. If there is a CSP header and nothing is reported in the console then you have no violations and everything is running as it should. Yippee!
  4. If there is a CSP header and errors in the console then the REST route might not be registered properly. Go to /wp-json and look for 'wpcsp' (usually CTRL-F for find and type in wpcsp) - if nothing is listed then the REST route is not getting registered.
  5. Look in the PHP error logs for an error - post the error, file name and line number in the support forums and I should be able to work out why it's failing.

CSP v3 Inline Scripts/Styles

Inline scripts and styles can be dangerous, you do not know which scripts wrote them and probably don't want them run if you can avoid it. When you use 'script-dynamic', the "unsafe-eval" and "unsafe-inline stop working and the browser will say in the console "Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list." To fix this either:

  • Put all the scripts and/or style code into files and include the files.
  • If the browser returns "Either the 'unsafe-inline' keyword, a hash ('sha256-h3SEZNZpOYg4jp6TCkoWN7Z477Qt3q1owH0SPbz+a4M='), or a nonce ('nonce-...') is required to enable inline execution." - you can take the SHA number (including single quotes) and put that in the policy line.

How Big Does The Database Get

This is different for all sites. The plugin will automatically delete records older than one week to keep the size managable. Also, if too many records are found the system will only report on the worse errors to avoid locking your browser.

Handling the Violation Reports/Errors Is A Big Resouce Drain

Every error output by your browser is likely to result in a call to the server to log the error - if a page has 20 errors that's 20 calls to your server - this can be a lot of processing power. To avoid this change the "Log Violations" option from "Yes, All" to "Yes - 10%", "Yes - 1%', or "Yes - 0.1%" - in each case the plugin will randomly allow only a set fraction of your visitors to report errors back to the server, they're still enfored at the browser but no report will come back to your site.

更新日志:

2.3 2.2 2.1 2.0 1.9 1.8 1.7 1.6 1.5 1.4 1.3 1.2 1.1 1.0