WP Content Security Plugin

Content Security Policy (CSP) is a W3C guideline to prevent cross-site scripting (XSS) and related attacks. XSS allows other people to run scripts on your site, making it no
longer your application running on your site, and opens your whole domain to attack due to “Same-Origin Policy” – XSS anywhere on your domain is XSS everywhere on your domain. (see https://www.youtube.com/watch?v=WljJ5guzcLs)

CSP tells your browser to push least-privilege environment on your application, allowing the client to only use resources from trusted domains and block all resources from anywhere else.

Adding CSP to your site will protect your visitors from:

• Cross-site scripting (XSS) attacks
• Adware and Spyware while on your site

This plugin will help you set your CSP settings and will add them to the page the visitor requested. Policy violations will be logged in a database table which can be viewed via an admin page that supplies all the violations, along with counts. Buttons easily allow you to add the sites to your headers or to ignore them.

This plugin also allows you to ignore sites that repeatedly violate your policies. For example, some tracking images will show as violating your policies, but you still don’t want them to run, therefore you can block the site from showing up in your logs – note, however, that the browser will still call your server and your server will still spend resources processing the call.

In addition, this plugin can help you to get on the HSTS Preload list – See https://hstspreload.org/ for details.

CSP Directives

CSP allows you to control where your visitors’ browser can run code from.

The W3C specification allows for the following directives:

• default-src
  The default-src is the default policy for loading content. If another setting is blank then this setting will be used.

• script-src
  Defines valid sources of JavaScript.

• style-src
  Defines valid sources of stylesheets.

• img-src
  Defines valid sources of images.

• connect-src
  Applies to XMLHttpRequest (AJAX), WebSocket or EventSource.

• manifest-src
  Specifies which manifest can be applied to the resource

• worker-src
  Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.

• font-src
  Defines valid sources of fonts.

• object-src
  Defines valid sources of plugins. Stops your site becoming the source of drive-by attacks.

• media-src
  Defines valid sources of audio and video.

• base-uri
  Limit the values that can be used in the entry.

• frame-src
  Defines valid sources for loading frames.

• sandbox
  Enables a sandbox for the requested resource similar to the iframe sandbox attribute.

• form-action
  The form-action restricts which URLs can be used as the action of HTML form elements.

• frame-ancestors
  Whether to allow embedding the resource using a frame, iframe, object, embed, etc. in non-HTML resources.

• plugin-types
  Restricts the set of plugins that can be invoked by limiting the types of resources that can be embedded.

• report-uri
  URL to post information on violations of the policies you set.

• require-sri-for
  Require integrity check for scripts and/or styles.

CSP Entry Syntax

Note – with version 3 of the CSP specification there has been a move to ‘strict-dynamic’ – see the Upgrade Notice section for more information.

Each directive can take one or more of the following values:

• *
  Allows loading resources from any source.

• ‘none’
  Blocks loading resources from all sources. The single quotes are required.

• ‘self’
  Refers to your own host. The single quotes are required.

• ‘unsafe-inline’
  Allows inline elements, such as functions in script tags, onclicks, etc. The single quotes are required.

• ‘unsafe-eval’
  Allows unsafe dynamic code evaluation such as JavaScript eval(). The single quotes are required.

• ‘strict-dynamic’
  The trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. The single quotes are required.

• ‘sha-AAAAAAAAA’
  For scripts and styles that can’t take a nonce the browser will tell you a ‘sha-‘ value you can use. The single quotes are required.

• ‘nonce-AAAAAAAAA’
  The trust nonce value – this value is automatically generated per page refresh and should not be entered by the user. The single quotes are required.

• data:
  Allow loading resources from data scheme – usually inline images. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.

• mediastream:
  Allows mediastream: URIs to be used as a content source.

• filesystem:
  Allow loading resource from file system.

• https:
  Only allows loading resources from HTTPS: on any domain. This can be used to block insecure requests.

• www.example.com
  Allow loading resources from this domain, using any scheme (http/https)

• *.example.com
  Allow loading resourcs from any subdomain under example.com, using any scheme (http/https)

• http://www.example.com
  Allows loading resources from this domain using this scheme.

• /path/to/file/
  Allows loading any file from this path on this domain.

• /path/to/file/thefile
  Allows loading this one file on this domain.

Security Headers

In addition to the CSP headers, there are other security headers supported, including:

• Expect-CT
  Instructs user agents (browsers) to expect valid Signed Certificate Timestamps (SCTs) to be served.

• Strict Transport Security
  The HTTP Strict-Transport-Security response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

• X-Frame-Options
  The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

• X-XSS-Protection
  The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript (‘unsafe-inline’), they can still provide protections for users of older web browsers that don’t yet support CSP.

• X-Content-Type-Options
  The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

• Referrer-Policy
  The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Written By

This plugin was written by Dylan Downhill, CDO of Elixir Interactive .