To configure the Content Security Policy open the Really Simple SSL dashboard, go to the settings tab and select “Content Security Policy”.
- If your whole site is behind SSL, you should turn on “Upgrade Insecure Requests” to make sure all request made to your site are done over SSL even if the links do not specify “https:”
- If you don’t want your website to be embedded in an iFrame by other websites you need to set the “Frame Ancestors” setting to “None”, or “Self” to enable iFrame embedding of your own site. Most sites can safely set this setting to “None”
- [Advanced Setting] To further enhance security you can enable “Learning Mode” to automatically configure the “Source Directives” settings of the Content Security Policy
Learning Mode will take a while to detect all the necessary rules for the Content Security Policy. We recommend letting learning mode run for at least a couple of days on the average website. If you do not have a lot of visitors or parts of your website that are rarely accessed by visitors we recommend going through your entire website yourself visiting all pages and trying all functions before enforcing the Source Directives part of the Content Security Policy. Failing to do this may lead to your site not being fully functional. After a couple of days, go back to the settings page, click “Exit Learning Mode”, review the rules detected by Learning Mode and click on Enforce to enable the Content Security Policy.
After running Learning Mode for a few days, you often see some strange domains in your allow list. These can include services you don’t have on your site, how is that possible?
This is caused by browser add-ons. These add-ons can include script sources on your website in the browser of a user. They will get detected by the reporting, and will end up in your policy. We recommend to disallow these domains. Please check for every domain if it is actually used on your site. If not, disallow it. We recommend not to delete it, because in learning mode it will get added again otherwise.
Note:
Using learning mode to configure your Content Security Policy is very easy but it assumes that your site is not hacked or infected. Any traffic detected by Learning Mode will be automatically translated into an “Allow” rule for your Content Security Policy. If nothing looks out of order you can click “Enforce” to enable the Content Security Policy”. If you see references to sources you do not expect you can revoke the permissions for those and enable the Content Security Policy. If these are legitimate components used by your site it will break that functionality though! If you somehow suspect malicious sources detected by learning mode and do not know how to assess them, seek help from an expert who can!
