To enable a Content Security Policy in Really Simple Security Pro, start by navigating to Security -> Settings (in the top menu bar) -> Security Headers -> Content Security Policy.Â
Getting started with the Content Security Policy
#1: Upgrade-Insecure-Requests
If your site is working correctly over SSL/HTTPS, you should enable the “Upgrade Insecure Requests” slider to ensure that all requests made to your site are performed over HTTPS (even if their links do not explicitly specify “https://“).
#2: Frame Ancestors
To prevent other websites from embedding your site in an iFrame, set the “Frame Ancestors” directive to ‘Self’Â to allow only your own domain to embed your site. Most sites can safely use ‘Self’.
Note: you can also use the setting “None” to prevent your site from being embedded entirely; but this will prevent your site from being embedded in any iFrame (including on your own domain). This could cause issues with tools or page-builders that rely on loading your site within an iFrame (e.g., for previews or editing), so we recommend to only use this setting if you are certain that your site should never be embedded in an iFrame, under any circumstances.
Managing external resources with the Content Security Policy
The most powerful feature of the Content Security Policy is the ability to control which external resources are able to load on your website. This works by creating an ‘allow-list’ with all of the resources that are used on your website, so that any content from sources that are not included (allowed) in your Content Security Policy will be blocked from loading. This creates a strong additional layer of security against malicious scripts and unauthorized content.
Learning Mode
We recommend to start by enabling “Learning Mode”, so that the plugin can automatically detect all of the resources that are used on your site, and include them in your Content Security Policy. As Learning Mode will take a while to detect all the resources and rules that have to be added to the Content Security Policy: we highly recommend leaving Learning Mode enabled for at least one week on the average website.
If your site does not have many visitors, or parts of your website that are rarely accessed by visitors: we recommend going through your entire website yourself. Visit all pages and refresh them a few times; and try all functions of your site before actually “Enforcing” the allow-list of your Content Security Policy, to avoid resources that are not included in the policy from being blocked.
After ~1 week has passed, go back to the Content Security Policy settings and click “Exit Learning Mode”, where you can now review the rules detected by Learning Mode, and click Enforce to apply the Content Security Policy on your website.
Note:
Using Learning Mode to configure your Content Security Policy is very straightforward, but it operates with the assumption that your site does not contain malware at the time of creating the policy. Any traffic detected by Learning Mode will be automatically translated into an “Allow” rule for your Content Security Policy. If you somehow suspect that malicious sources have been detected by Learning Mode and do not know how to assess them; seek help from an expert who can!
If you don’t see any unexpected resources in the list, you can click “Enforce” to apply the Content Security Policy to your site. If you see references to resources that you did not expect to see, you can Revoke it’s permissions, after which you can safely enable the Content Security Policy.
When you “Revoke” a legitimate resource from the Content Security Policy (e.g., a resource that a component of your website relies on to work correctly), it would break that functionality; until it is added back to the list of “Allowed” resources.
Manually adding resources to the Content Security Policy
If you want to add new resources to your site at a later point in time, so, after you had already generated and enforced a Content Security Policy on the site, those new resources will also have to be included in the CSP; or they would be blocked. You can re-enable Learning Mode and visit the page containing the new resource, this will add it to the existing Content Security Policy, after which you can switch the CSP back to “Enforce” mode.
However, you can also manually add resources to the CSP by using the “Manual CSP Entry” button.
Consider the following example: the Administrator of a website had already configured their Content Security Policy, but they added another stylesheet to the site after the CSP had been set to “Enforce” mode. As a result, the stylesheet is blocked from loading because it is not included in the allow-list of their CSP yet.
An easy method to determine what to enter in the Manual CSP Entry fields (“URI” and “Directive”):
- Set the Content Security Policy to “Enforce” mode
- Visit the page on your site that contains the newly added resource(s)
- Open the Developer Tools of your browser, navigate to the “Console” tab (CTRL + Shift + C on Windows, CMD + Shift + C on MacOS)
Because the new resource has not been included in your currently enforced CSP, it will be blocked, and the following warning will be logged to the console. This warning contains the URI and Directive that you can enter when clicking Manual CSP Entry in Really Simple Security.
We can now obtain the URI and Directive of the new stylesheet directly from the Console warning, and enter them in the fields under Manual CSP Entry to allow the resource.
You should now see your manually added resource being added to the CSP allowlist, which will now be allowed to load when you Enforce the CSP again.
Frequently asked questions about the Content Security Policy
- The list of Source Directives in the Content Security Policy contains some unexpected domains/sources after using Learning Mode
You might see some strange domains in the allow-list of your Content Security Policy, this could even include services that you don’t actively use on your site; so how is that possible?
This is caused by browser add-ons. These add-ons can include or inject scripts on the website in your browser, which will get detected by Learning Mode and end up in your Content Security Policy. We recommend to “Disallow” these domains. Please check each domain to see if it is actually used on your site. If not, you can safely disallow it.
We recommend to “Disallow” but not to fully delete such resources, as activating Learning Mode would result in it being detected again.
