Content Security Policy (CSP) is a W3C guideline to prevent cross-site scripting (XSS) and related attacks. XSS allows other people to run scripts on your site, making it no
longer your application running on your site, and opens your whole domain to attack due to "Same-Origin Policy" - XSS anywhere on your domain is XSS everywhere on your domain. (see
https://www.youtube.com/watch?v=WljJ5guzcLs)
CSP tells your browser to push least-privilege environment on your application, allowing the client to only use resources from trusted domains and block all resources from anywhere else.
Adding CSP to your site will protect your visitors from:
- Cross-site scripting (XSS) attacks
- Adware and Spyware while on your site
This plugin will help you set your CSP settings and will add them to the page the visitor requested. Policy violations will be logged in a database table which can be viewed via an admin page that supplies all the violations, along with counts. Buttons easily allow you to add the sites to your headers or to ignore them.
This plugin also allows you to ignore sites that repeatedly violate your policies. For example, some tracking images will show as violating your policies, but you still don't want them to run, therefore you can block the site from showing up in your logs - note, however, that the browser will still call your server and your server will still spend resources processing the call.
In addition, this plugin can help you to get on the
HSTS Preload list - See
https://hstspreload.org/ for details.
CSP Directives
CSP allows you to control where your visitors' browser can run code from.
The W3C specification allows for the following directives:
- default-src
The default-src is the default policy for loading content. If another setting is blank then this setting will be used.
- script-src
Defines valid sources of JavaScript.
- style-src
Defines valid sources of stylesheets.
- img-src
Defines valid sources of images.
- connect-src
Applies to XMLHttpRequest (AJAX), WebSocket or EventSource.
- manifest-src
Specifies which manifest can be applied to the resource
- worker-src
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- font-src
Defines valid sources of fonts.
- object-src
Defines valid sources of plugins. Stops your site becoming the source of drive-by attacks.
- media-src
Defines valid sources of audio and video.
- base-uri
Limit the values that can be used in the entry.
- frame-src
Defines valid sources for loading frames.
- sandbox
Enables a sandbox for the requested resource similar to the iframe sandbox attribute.
- form-action
The form-action restricts which URLs can be used as the action of HTML form elements.
- frame-ancestors
Whether to allow embedding the resource using a frame, iframe, object, embed, etc. in non-HTML resources.
- plugin-types
Restricts the set of plugins that can be invoked by limiting the types of resources that can be embedded.
- report-uri
URL to post information on violations of the policies you set.
- require-sri-for
Require integrity check for scripts and/or styles.
CSP Entry Syntax
Note - with version 3 of the CSP specification there has been a move to 'strict-dynamic' - see the
Upgrade Notice section for more information.
Each directive can take one or more of the following values:
- *
Allows loading resources from any source.
- 'none'
Blocks loading resources from all sources. The single quotes are required.
- 'self'
Refers to your own host. The single quotes are required.
- 'unsafe-inline'
Allows inline elements, such as functions in script tags, onclicks, etc. The single quotes are required.
- 'unsafe-eval'
Allows unsafe dynamic code evaluation such as JavaScript eval(). The single quotes are required.
- 'strict-dynamic'
The trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. The single quotes are required.
- 'sha-AAAAAAAAA'
For scripts and styles that can't take a nonce the browser will tell you a 'sha-' value you can use. The single quotes are required.
- 'nonce-AAAAAAAAA'
The trust nonce value - this value is automatically generated per page refresh and should not be entered by the user. The single quotes are required.
- data:
Allow loading resources from data scheme - usually inline images. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
- mediastream:
Allows mediastream: URIs to be used as a content source.
- filesystem:
Allow loading resource from file system.
- https:
Only allows loading resources from HTTPS: on any domain. This can be used to block insecure requests.
- www.example.com
Allow loading resources from this domain, using any scheme (http/https)
- *.example.com
Allow loading resourcs from any subdomain under example.com, using any scheme (http/https)
- http://www.example.com
Allows loading resources from this domain using this scheme.
- /path/to/file/
Allows loading any file from this path on this domain.
- /path/to/file/thefile
Allows loading this one file on this domain.
Security Headers
In addition to the CSP headers, there are other security headers supported, including:
- Expect-CT
Instructs user agents (browsers) to expect valid Signed Certificate Timestamps (SCTs) to be served.
- Strict Transport Security
The HTTP Strict-Transport-Security response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
- X-Frame-Options
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
- X-XSS-Protection
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.
- X-Content-Type-Options
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.
- Referrer-Policy
The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.
Before You Start
I recommend you
move all styles and scripts into include files - this will allow WP_CSP to approve the included file and will mean you can stop the browser running scripts that have been added to the page from an unknown source.
Read the ** Upgrade notice** for information on CSP version 3.
To Install
Follow the standard Wordpress plugin installation procedures.
e.g.
- Upload
plugin-name.php
to the /wp-content/plugins/
directory
- Activate the plugin through the 'Plugins' menu in WordPress
- Visit the settings under 'Settings->Content Security Policy Options'. I recommend you run this plugin in 'report only' mode for a little while to help you set your CSP settings correctly.
To Upgrade
See the new CSP V3 tab on the admin page.