WP Content Security Policy Plugin

Screenshots

Content Security Policy (CSP) is a W3C guideline to prevent cross-site scripting (XSS) and related attacks. XSS allows other people to run scripts on your site, making it no longer your application running on your site, and opens your whole domain to attack due to “Same-Origin Policy” – XSS anywhere on your domain is XSS everywhere on your domain. (see https://www.youtube.com/watch?v=WljJ5guzcLs) CSP tell your browser to push least-privilege environment on your application, allowing the client to only use resources from trusted domains and block all resources from anywhere else. Adding CSP to your site will protect your visitors from Cross-site scripting (XSS) attacks Adware and Spyware while on your site Directives CSP allows you to control where your visitors’ browser is allowed to run code from. The W3C specification allows for 9 directives. default-src The default-src is the default policy for loading content. If another setting is blank then this setting will be used. script-src Defines valid sources of JavaScript. style-src Defines valid sources of stylesheets. img-src Defines valid sources of images. connect-src Applies to XMLHttpRequest (AJAX), WebSocket or EventSource. font-src Defines valid sources of fonts. object-src Defines valid sources of plugins. Stops your site becoming the source of drive-by attacks. media-src Defines valid sources of audio and video. frame-src Defines valid sources for loading frames. sandbox Enables a sandbox for the requested resource similar to the iframe sandbox attribute. form-action The form-action restricts which URLs can be used as the action of HTML form elements. frame-ancestors Whether to allow embedding the resource using a frame, iframe, object, embed, etc. in non-HTML resources. plugin-types Restricts the set of plugins that can be invoked by limiting the types of resources that can be embedded. report-uri URL to post information on violations of the policies you set. Each directive can take one or more of the following values: * Allows loading resources from any source. ‘none’ Blocks loading resources from all sources. ‘self’ Refers to your own host. ‘unsafe-inline’ Allows inline elements, such as functions in script tags, onclicks, etc. ‘unsafe-eval’ Allows unsafe dynamic code evaluation such as JavaScript eval() data: Allow loading resources from data scheme – usually inline images. https: Only allows loading resources from HTTPS: on any domain www.example.com Allow loading resources from this domain, using any scheme (http/https) *.example.com Allow loading resourcs from any subdomain under example.com, using any scheme (http/https) http://www.example.com Allows loading resources from this domain using this scheme. /path/to/file/ Allows loading any file from this path on this domain. /path/to/file/thefile Allows loading this one file on this domain. This plugin will help you set your CSP settings, and will add them to the page the visitor requested. Polivy violations will be logged in a database table. An admin page is provided that supplies all the violations, along with counts. Buttons easily allow you to add the sites to your headers. This plugin also allows you to ignore sites that repeatedly violate your policies. For example, some tracking images will show as violating your policies but you still don’t want them to run, therefore you can block the site from showing up in your logs. Written By This plugin was written by Dylan Downhill, CIO of Elixir Interactive .