How to use the Content Security Policy generator

Really Simple SSL pro has the ability to generate a Content Security Policy for your WordPress site. A Content Security Policy is an added layer of security that can mitigate and detect various security threats. Since this is an advanced feature, we recommend using this function if you have an understanding of what a Content Security Policy does. Do note that this Content Security Policy won’t protect your site 100%. With the way WordPress is currently set up, both script-src and style-src allow unsafe-inline execution to make a Content Security Policy work with WordPress. We are aware that this is not an ideal situation and will be looking at ways to improve this in future iterations of the Content Security Policy generator.

The Content Security Policy generator

The Content Security Policy generation has two features:

  1. A reporting feature to gather data about used resources on your site.
  2. A ‘live’ feature to enforce the Content Security Policy rules.

Content Security Policy reporting.

To start generating a Content Security Policy, enable the ‘Learning Mode’ option in ‘Source Directives’ block of the ‘Content Security Policy’ tab of the Really Simple SSL pro settings.  The reporting functionality won’t have any effect on your site yet, because Really Simple SSL will just collect used resources on your website. You will see a message ‘We’re configuring your Content Security Policy’ that indicates that Really Simple SSL has started collecting data.

We suggest you come back after a few days and click on the ‘Exit Learning Mode’ link. You can speed up detection by visiting all pages and testing all functionality of your website. After a number of days (we recommend leaving it in learning mode for at least a week), the Content Security Policy generator will have listed all resources that are currently flagged as violations of your Content Security Policy and added them to the allow list. Note: Pages or functionality not used during the learning mode period might break when you enforce the Content Security Policy. The resulting list should look something like this:

After exiting learning mode you should review the detected directives and revoke any directives that you think are not legitimate use of your website. Note: Be careful revoking directives, as revoking legitimate directives will disable functionality on your website. Revoked directives can be easily allowed again by clicking ‘Allow’. When you are satisfied, click the ‘Enforce’ button to enforce the Content Security Policy. Once the Content Security Policy rules are enforced, content that is not explicitly allowed is prevented from running on your website. When things still break, just enable learning mode again to add the missing directives.

Note: There are a number of default directives that are not visible in the list but are always allowed because WordPress will not function correctly without them

Keeping your Content Security Policy up-to-date

Since adding new content can result in new violations, we recommend re-enabling learning mode when testing new functionality to make sure the necessary directives are added to your Content Security Policy. Keep your Content Security Policy up-to-date and stay safe! Contact us if you have any questions or remarks about this feature.

Improve security with Really Simple SSL Pro