(Help) Content Security Policy

daya143

Active member
Apr 5, 2020
189
36
28
Hello all,
I want to set the security headers to my site, i get everything fine except one, Content Security Policy because it gets problem with my wordpress & elementor(cant edit).
I tried default-src none or self, script-src self no use only upgrade-insecure-requests is working. I using the codes on .htaccess.
Please help!!
 

ckeeper

Well-known member
Nov 8, 2019
623
376
63
I use the following without any issues with litespeed server
Code:
    Header always set Content-Security-Policy default-src https: data: 'unsafe-inline' 'unsafe-eval'
    Header always set X-XSS-Protection 1;mode=block
    Header always set X-Frame-Options SAMEORIGIN
    Header always set Referrer-Policy strict-origin-when-cross-origin
    Header always set Strict-Transport-Security: max-age=15552000
    Header set X-Content-Type-Options nosniff
    Header always set Expect-CT enforce, max-age=21600
    Header always set Feature-Policy geolocation 'self'; vibrate 'self'
 

daya143

Active member
Apr 5, 2020
189
36
28
Thank you @ckeeper , i tried this but the 'unsafe-inline' 'unsafe-eval' i want to avoid these, which is dangerous.
any other solutions?
 

ckeeper

Well-known member
Nov 8, 2019
623
376
63
You can also try the following
Code:
Content-Security-Policy: frame-ancestors 'self' yourdomain.com *.yourdomain.com
Content-Security-Policy upgrade-insecure-requests
 

daya143

Active member
Apr 5, 2020
189
36
28
Thanks but i get an big error on observatory.mozilla.org, my client check his site on security header & observatory.mozilla.org. your code works fine for me to run elementor without problem but i have to solve the problem of observatory.mozilla.org, i getting A+ at securityheaders

Header set Content-Security-Policy "frame-ancestors 'self' mydomainname.com *.mydomainname.com; upgrade-insecure-requests"
 

ckeeper

Well-known member
Nov 8, 2019
623
376
63
Hey daya it is kind of a hit and miss with csp with wordpress considering bunch of plugins not coded properly, you can not achieve the site security only using CSP policies etc, you do need some sort of a WAF to handle all these attacks, that would be a much better approach, after all you want to block all these attacks before they reach to the server. My 2 cents.
 

daya143

Active member
Apr 5, 2020
189
36
28
Thanks for the info @ckeeper, i am ok with you & what you say, i did my maximum to the security(waf, codes, permissions& etc...). The problem is security headers, i proposed to my client donot edit anything via elementor, everything will be ok, but he insists to get https://observatory.mozilla.org & securityheaders A+, wants elemntor editable so i am searching for the solutions, you known @ckeeper CLIENT IS A KING lol
 
  • Like
Reactions: ckeeper

videva

Member
Aug 25, 2020
75
53
18
Thanks for the info @ckeeper, i am ok with you & what you say, i did my maximum to the security(waf, codes, permissions& etc...). The problem is security headers, i proposed to my client donot edit anything via elementor, everything will be ok, but he insists to get https://observatory.mozilla.org & securityheaders A+, wants elemntor editable so i am searching for the solutions, you known @ckeeper CLIENT IS A KING lol
tell your client even facebook only get D+ on observatory.mozilla.org
 

daya143

Active member
Apr 5, 2020
189
36
28
Just asking, this (edit) type is better or download the premium version from babiato.
Which one is the best way?
 

Forum statistics

Threads
68,470
Messages
903,991
Members
228,896
Latest member
coivl

About us

  • Our community has been around for many years and pride ourselves on offering unbiased, critical discussion among people of all different backgrounds. We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu