Last Chance: Cyber Monday 40% OFF

Days
Hours
Minutes

USE CODE: CM2022

Configuring the Content Security Policy

Tackle WordPress weaknesses and fortify your website Learn more

To configure the Content Security Policy open the Really Simple SSL dashboard, go to the settings tab and select “Content Security Policy”.

  1. If your whole site is behind SSL, you should turn on “Upgrade Insecure Requests” to make sure all request made to your site are done over SSL even if the links do not specify “https:”
  2. If you don’t want your website to be embedded in an iFrame by other websites you need to set the “Frame Ancestors” setting to “None”, or “Self” to enable iFrame embedding of your own site. Most sites can safely set this setting to “None”
  3. [Advanced Setting] To further enhance security you can enable “Learning Mode” to automatically configure the “Source Directives” settings of the Content Security Policy

 

Learning Mode will take a while to detect all the necessary rules for the Content Security Policy. We recommend letting learning mode run for at least a couple of days on the average website. If you do not have a lot of visitors or parts of your website that are rarely accessed by visitors we recommend going through your entire website yourself visiting all pages and trying all functions before enforcing the Source Directives part of the Content Security Policy. Failing to do this may lead to your site not being fully functional. After a couple of days, go back to the settings page, click “Exit Learning Mode”, review the rules detected by Learning Mode and click on Enforce to enable the Content Security Policy.

Note:
Using learning mode to configure your Content Security Policy is very easy but it assumes that your site is not hacked or infected. Any traffic detected by Learning Mode will be automatically translated into an “Allow” rule for your Content Security Policy. If nothing looks out of order you can click “Enforce” to enable the Content Security Policy”. If you see references to sources you do not expect you can revoke the permissions for those and enable the Content Security Policy. If these are legitimate components used by your site it will break that functionality though! If you somehow suspect malicious sources detected by learning mode and do not know how to assess them, seek help from an expert who can!

Table of Contents

Peter Tak

Peter Tak

Security Officer at Really Simple Plugins

Read More

Advanced Security

Tackle WordPress weaknesses and fortify your website. New hardening features!

Definitions

Want to know the in and outs of security jargon? Get to know our features.

Premium support will offer assistance in 24 hours. If you need help, or have any questions just contact our awesome support team/

Related articles