Secure your WordPress sites with the Content Security Policy HTTP Header
Content Security Policy HTTP header is a part of the Shield's HTTP Headers module. It helps you to restrict the sources and types of content that may be loaded and processed by visitor browsers.
In essence it allows you to dictate which resources, files, etc. can be loaded/processed by the browser.
Shield's Content Security Policy Header covers all types of assets, whether it’s images, scripts, objects, or styles etc.
The Content Security Policy options are as follows:
- Allow 'self' Directive - Resources from your own host:protocol are permitted.
- Allow "data:" Directives - Allows use of embedded data directives, most commonly used for images and fonts.
- HTTPS Resource Loading - Allows loading of any content provided over HTTPS.
- Permitted Hosts and Domains - You can explicitly state which hosts/domain from which content may be loaded. Take great care and test your site as you may block legitimate resources.
- Manual Rules - You can add manual CSP rules which are not covered by the rules above.
Important: The above CSP options (settings) are no longer available from v10.2.2 and onward. Please see ShieldPRO 10.2 Upgrade Guide here.
Due to the complexity of CSP and the superficial nature of our CSP implementation, we've decided to remove those options. We explore the issue in full detail in our blog post on this topic here.
You can add custom CSP rules to your site.
To do this, you'll need to enable CSP headers and use 'Manual Rules' option to add your custom rules. For example:
Feel free to provide as many custom Content Security Policy rules as you need to.
Important: There is no validation that your rules are structured correctly, nor whether they’re appropriate for your particular site and circumstances. Great care should be taken when providing your custom rules and advice should be sought from your web developer on what is most appropriate.
Note: When you enable CSP headers with Shield, the Security Overview section might show that CSP aren't active:
This is because you haven't added your custom rules:
You'll need to "Enable CSP" option, plus rules provided. Then, the Security Overview section will show that CSP is turned on:
To learn more about HTTP Content Security Policy Headers, read the blog article here.
We also recommend you to read: