Block XSS vulnerabilities by including a Content Security Policy header, receives and organizes policy violations allowing for easily maintained websi
|Author:||Dylan Downhill (profile at wordpress.org)|
|WordPress version required:|
|WordPress version tested:||4.9.4|
|Added to WordPress repository:||16-08-2015|
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
|Total downloads:||26 619|
|Active installs:||3 000+|
Click to start download
Before You Start
I recommend you move all styles and scripts into include files – this will allow WP_CSP to approve the included file and will mean you can stop the browser running scripts that have been added to the page from an unknown source.
Read the ** Upgrade notice** for information on CSP version 3.
Follow the standard WordPress plugin installation procedures.
- Activate the plugin through the ‘Plugins’ menu in WordPress
- Visit the settings under ‘Settings->Content Security Policy Options’. I recommend you run this plugin in ‘report only’ mode for a little while to help you set your CSP settings correctly.
See the new CSP V3 tab on the admin page.
What is the best way to set a content security policy
When you first turn on CSP, put into report-only mode and build the basic rules for your site. After about a week, turn off report-only and go to enforce rules.
If you want to implement the latest W3C version of CSP – version 3 Google recommends – set the following for default-src, script-src, and style-src:
‘unsafe-inline’ ‘unsafe-eval’ ‘strict-dynamic’ https: http:
(single quotes are required) This will allow modern browsers to run the latest version of CSP with nonces, etc. and older browsers to just work without restrictions.
If you’re going to run CSP v2, one good way of building a policy for a site would be to begin with a default-src of ‘self’, and to build up a policy from there that contains only those resource types which are actually in use for the page you’d like to protect. If you don’t use webfonts, for instance, there’s no reason to specify a source list for font-src; specifying only those resource types a page uses ensures that the possible attack surface for that page remains as small as possible.
Should I set ‘self’ in all options
Usually you will trust your own site for all directives; however, I usually only add ‘self’ when it shows up as a violation. None of these directives is inherited, except some directives will default to ‘default-src’ if not set explicitly.
Should I set ‘*’ in all options?
Usually you would want to keep security as strict as possible while still allowing your application to run. Therefore, ‘*’ should be avoided.
Can I have a different policy for each page?
The W3C specification allows for a different policy for each page, this plugin was not written with page-level security capability.
Can I have some options enforced and some report-only?
The W3C specification allows for this functionality; this plugin does not support this capability.
No errors are getting logged
- First check that your site is producing CSP errors by starting the developer tools in your browser (usually F12) and checking for messages in the console output.
- If nothing is in the console output then check the page has a CSP header by looking at the page in the ‘network’ tab of the dev tools. Check the ‘response’ has a header called ‘content-security-policy’ or ‘content-security-policy-report-only’ – if this is misisng then the plugin is not running or CSP is not enabled.
- If there is a CSP header and nothing is reported in the console then you have no violations and everything is running as it should. Yippee!
- If there is a CSP header and errors in the console then the REST route might not be registered properly. Go to /wp-json and look for ‘wpcsp’ (usually CTRL-F for find and type in wpcsp) – if nothing is listed then the REST route is not getting registered.
- Look in the PHP error logs for an error – post the error, file name and line number in the support forums and I should be able to work out why it’s failing.
CSP v3 Inline Scripts/Styles
Inline scripts and styles can be dangerous, you do not know which scripts wrote them and probably don’t want them run if you can avoid it. When you use ‘script-dynamic’, the “unsafe-eval” and “unsafe-inline stop working and the browser will say in the console “Note that ‘unsafe-inline’ is ignored if either a hash or nonce value is present in the source list.”
To fix this either:
* Put all the scripts and/or style code into files and include the files.
* If the browser returns “Either the ‘unsafe-inline’ keyword, a hash (‘sha256-h3SEZNZpOYg4jp6TCkoWN7Z477Qt3q1owH0SPbz+a4M=’), or a nonce (‘nonce-…’) is required to enable inline execution.” – you can take the SHA number (including single quotes) and put that in the policy line.
How Big Does The Database Get
This is different for all sites. The plugin will automatically delete records older than one week to keep the size managable. Also, if too many records are found the system will only report on the worse errors to avoid locking your browser.
Handling the Violation Reports/Errors Is A Big Resouce Drain
Every error output by your browser is likely to result in a call to the server to log the error – if a page has 20 errors that’s 20 calls to your server – this can be a lot of processing power. To avoid this change the “Log Violations” option from “Yes, All” to “Yes – 10%”, “Yes – 1%’, or “Yes – 0.1%” – in each case the plugin will randomly allow only a set fraction of your visitors to report errors back to the server, they’re still enfored at the browser but no report will come back to your site.
- Bug: CSP Enforced mode was getting lost due to ’empty()’ check
- Moved CSP v3 information into tab on admin screen to make it easier to find
- Grouped options on admin panels – added red border to make grouping obvious
- Added HSTS preload option and warning text. Handle auto-redirect by WordPress.
- Added support for ‘unsafe-hashed-attributes’ which is a W3C work in progress setting
- Bug: Undefined variables in admin screens
- Bug: Display of errors for policies was breaking
- Bug: internal link tester failed due to private function
- Tested against WordPress 4.9.4
- Added full support for CSP version 3 – nonces, auto-tagging scripts and style tags, etc. See section CSP v3 Additional Nonce Tagging
- Added ‘base-uri’ and ‘require-sri-for’
- Changed to use get_rest_url()
- Added support for various other security related header options
- Added ability to change URL violations are reported to
- Added validation of URLs entered
- Added ability to turn off CSP headers while keeping other security related headers
- Fixed issue when run on PHP below 5.6 (tested on PHP 5.3)
- Add support for block-mixed-content and upgrade-insecure-requests
- Add support for worker-src and manifest-src
- Add support for mediastream: and filesystem:
- Add display of configuration errors at the top of the save page.
- Fix register_route issues
- Change size of configuration entry boxes to match their contents.
- Fixed issues running on WP 4.8
- Limit logged violations to top 100.
- Bug in Rest route registering
- Create table limits the size of the secondary key to avoid table creation issues
- Updated requires to 4.4 due to Rest integration
- Bug in Rest route
- Update ‘tested up to’ to WordPress 4.9
- Moved to REST calls
- Update ‘tested up to’ to WordPress 4.6
- Fixed wrong label on ‘frame ancestors’ admin field.
- Added ability to limit load on server by only logging errors for a percentage of page loads.
- Auto creates log table if it’s missing.
- Some class and admin functions were not static but needed to be.
- Fixed undefined variables.
- Added entry verification for admin screen and added information for user.
- Using the automatic add to policy/ignore is now cleaner and simpler.
- Added nonce in callback to prevent attacks.
- Bug fix.
- Initial release.