Really Simple SSL pro has the ability to generate a Content Security Policy for your WordPress site. A Content Security Policy is an added layer of security that can mitigate and detect various security threats. Since this is an advanced feature, we recommend using this function if you have an understanding of what a Content Security Policy does. Do note that this Content Security Policy won’t protect your site 100%. With the way WordPress is currently set up, both script-src and style-src allow unsafe-inline execution to make a Content Security Policy work with WordPress. We are aware that this is not an ideal situation and will be looking at ways to improve this in future iterations of the Content Security Policy generator.
Because the Content Security Policy rules are written to the .htaccess file, the Content Security Policy generation only works when the ‘301 .htaccess redirect’ option is enabled in the plugin settings. This is a pro feature, so Really Simple SSL pro is required as well.
The Content Security Policy generator
The Content Security Policy generation has two features:
- A reporting feature to gather data about used resources on your site.
- A ‘live’ feature to enforce the Content Security Policy rules.
Content Security Policy reporting.
To start generating a Content Security Policy, enable the ‘Content Security Policy – Reporting active’ option in the ‘Security Headers’ tab of the Really Simple SSL pro settings. Do not enable the ‘Enforce’ option yet! The reporting functionality won’t have any effect on your site yet, because Really Simple SSL will just collect used resources on your website. You will see a message that indicates that Really Simple SSL has started collecting data. We advise coming back after a few days, or we will give a notification when Really Simple has paused reporting. To prevent a flood of requests, reporting will stop after 20 requests.
A notice will show up in your dashboard, notifying you that you can evaluate the reported items. You can then activate reporting again, or start configuring your Content Security Policy.
After a few days, your Content Security Policy generator block will have reported all resources that are currently flagged as violations of your Content Security Policy. The block should look something like this:
The Content Security Policy tab contains five different columns.
- Found: when the violation was first detected
- On page: the page on which the violation was first detected
- Directive: the specific Content Security Policy directive that was violated. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#Directives
- Domain/protocol: the domain or protocol which is being violated
- Allow/Revoke: click Allow to add the rule, click Revoke to revoke the rule from the Content Security Policy
Clicking on the ‘Allow’ button adds the rule to the Content Security Policy. For example, the ‘img-src’ data:’ indicates there is an image loading via the data: protocol. The data: protocol isn’t allowed by default. Therefore pressing the ‘Allow’ button will add the ‘img-src data:’ to your Content Security Policy. Rules can be removed from your Content Security Policy by clicking the Revoke button.
Enforcing the Content Security Policy
After letting the report feature gather data for a while and adding it to your policy (we recommend leaving it in report mode for at least a week), the Content Security policy can be enforced by enabling the ‘Enforce Content Security Policy’ option:
Once the Content Security Policy rules are enforced, content that is not explicitly allowed is prevented from running on your website.
Keeping your Content Security Policy up-to-date
Since adding new content can result in new violations, we recommend keeping close tabs on the Content Security Policy section to see if any new rules have to be added to your Content Security Policy. The Really Simple SSL Dashboard (Settings -> SSL) will show a notification when a new violation has been found:
Keep your Content Security Policy up-to-date and stay safe! Contact us if you have any questions or remarks about this feature.