Since today Really Simple SSL pro has the ability to generate a Content Security Policy for your WordPress site. Since this is an advanced feature, we recommend to only use this functionality if you have an understanding of what a Content Security Policy does. Do note that this Content Security Policy won’t protect your site 100%. With the way WordPress is currently set up, both script-src and style-src allow unsafe-inline execution to make a Content Security Policy work with WordPress. We are aware that this is not an ideal situation and will be looking at ways to improve this in future iterations of the Content Security Policy generator.
Because the Content Security Policy rules are written to the .htaccess file, the Content Security Policy generation only works when the ‘301 .htaccess redirect’ option is enabled in the plugin settings. This is a pro feature, so Really Simple SSL pro is required as well.
How to enable Content Security Policy reporting
The Content Security Policy generation has two features, a reporting feature to gather data about resources on your site and a ‘live’ feature to enforce the Content Security Policy rules. To start generating a Content Security Policy, enable the ‘Content Security Policy reporting’ option in the ‘Security Headers’ tab of the Really Simple SSL pro settings. Do not enable the ‘Add Content Security Policy to .htaccess’ option yet!
Enabling the reporting option will add a line of code to your .htaccess file to track and report any Content Security Policy violations. These violations will be found over time, the plugin performs a check on each pageload. If it detects any violations, those will be added to the ‘Content Security Policy’ tab:
The Content Security Policy tab contains five different columns.
- Found: when the violation was first detected
- On page: the page on which the violation was first detected
- Directive: the specific Content Security Policy directive that was violated. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#Directives
- Domain/protocol: the domain or protocol which is being violated
- Add to policy: the Add to policy button can be clicked to allow
Clicking on the ‘Add to policy’ button adds the rule to the Content Security Policy. For example, the ‘img-src’ data:’ indicates there is an image loading via the data: protocol. The data: protocol isn’t allowed by default. Therefore pressing the ‘Add to policy’ button will add the ‘img-src data:’ to your Content Security Policy. Clicking on the button removes the result from the overview since it is added to your Content Security Policy.
Enforcing the Content Security Policy
After letting the report feature gather data for a while and adding it to your policy (we recommend to leave it in report mode for at least a week), the Content Security policy can be enforced by enabling the ‘Enforce Content Security Policy’ option:
Once the Content Security Policy rules are enforced, content that is not explicitly allowed is prevented from running on your website.
Keeping your Content Security Policy up-to-date
Since adding new content can result in new violations, we recommend to keep close tabs on the Content Security Policy tab to see if any new rules have to be added to your Content Security Policy. The ‘Settings->SSL’ tab will show a notice when a new violation has been found:
After adding the new rules to your Content Security Policy, the warning will turn into a checkmark:
Keep your Content Security Policy up-to-date and stay safe! Contact us if you have any questions or remarks about this feature.