Content Security Policy and WordPress

Sun 14 January 2018

For your protection, I've been working on securing this website with all the proper security HTTP headers. Of course, by running WordPress as the backend, I'm making it easy to manage all the data but making it difficult to manage all the pieces and parts of the system's backend. The largest problem I've found are the many inline javascript and inline CSS scripts that are in WordPress Core.

So far I've added the easy headers: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and Referrer-Policy. The complicated one, at least for sites using WordPress, is the Content-Security-Policy. Unfortunately, the Content-Security-Policy is the best protection against XSS attacks.  As I pointed out above, WordPress uses several inline scripts and CSS instructions.  This means that I'd have to use "unsafe-inline" when describing what is allowed for scripts and styles.  Unfortunately, adding that negates much of the protections offered by the policy.

There is a way around doing this while still allowing inline scripts: using a nonce. Of course this isn't really possible with code that one doesn't directly control, like the WordPress Core.  I did, however, find a potential fix that may be forthcoming that I'll be monitoring.  This enhancement would allow for a plug-in to add a nonce to these scripts, thus allowing a Content-Security-Policy to be defined to allow those specific scripts.  Until then, I'll have to leave this site somewhat unprotected like many (most?) websites are today.

By Sparks, Category: Information Security

Tags: Content Security Policy / HTTP Headers / FOSS & Open Source / Integrity / Security / Wordpress /

Other articles

A response to 'Strong Encryption and Death'

Fri 20 January 2017

I recently read an article on the TriLUG blog mirror discussing access to data after the death of the owner. I've also given this a lot of thought as well and had previously come to the same conclusion as the original author of the article has:

"I created a file …

By Sparks, Category: Computers

Continue reading …

Securing email to Gmail

Tue 22 December 2015

I've been working on securing my postfix configuration to enforce certificate validation and encryption on some known, higher-volume, or more sensitive connections between SMTP servers (port 25).

On many of the connections I've setup for secure transport there have been no problems (assuming proper TLS certificates are used). Unfortunately Gmail …

By Sparks, Category: Information Security

Continue reading …

Postfix Encryption

Thu 12 March 2015

I've been tinkering with the encryption options in Postfix for a while.  Encryption between clients and their SMTP server and between SMTP servers is necessary to protect the to, from, and subject fields, along with the rest of the header, of an email.  The body of the message is also …

By Sparks, Category: Information Security

Continue reading …

CERN cares about information security... what about you?

Sun 08 March 2015

As a security engineer it's usually difficult for me to endure many of dumb things companies do.  It's quite sad when a company that prides itself on creating solutions for building internal solutions to protect customer data actually starts pushing its own data out to Google and other "solution" providers …

By Sparks, Category: Computers

Continue reading …

Securing Secure Shell

Tue 06 January 2015

I was passed an interesting article, this morning, regarding hardening secure shell (SSH) against poor crypto that can be a victim of cracking by the NSA and other entities.  The article is well written and discusses why the changes are necessary in light of recent Snowden file releases.

By Sparks, Category: Information Security

Continue reading …

Automated configuration analysis for Mozilla's TLS guidelines

Thu 09 October 2014

My friend Hubert has been doing a lot of work to make better the world a little safer.  Glad he's getting some recognition.  Here's a great article on testing your server for proper SSL/TLS configurations.

By Sparks, Category: Radio

Continue reading …

Signing PGP keys

Sat 21 June 2014

If you've recently completed a key signing party or have otherwise met up with other people and have exchanged key fingerprints and verified IDs, it's now time to sign the keys you trust.  There are several different ways of completing this task and I'll discuss two of them now.

caff …

By Sparks, Category: Information Security

Continue reading …

PGP Keysigning Event and CACert Assertion at SELF2014

Mon 16 June 2014

SouthEast LinuxFest is happening this upcoming weekend.  I offered to host a PGP (I'll substitute PGP for GPG, GnuPG, and other iterations) keysigning and CACert Assertion event and have been scheduled for 6:30 PM in the Red Hat Ballroom.  Since there is a little bit of planning needed on …

By Sparks, Category: Information Security

Continue reading …

Generating a PGP key using GnuPG

Mon 16 June 2014

Generating a PGP using GnuPG (GPG) is quite simple.  The following shows my recommendations for generating a PGP key today.

$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY …

By Sparks, Category: Information Security

Continue reading …

SSL/TLS Trends

Tue 20 May 2014

My friend Hubert has started compiling statistics of Alexa's top 1 million websites. Specifically, he's looking at their SSL/TLS settings and attempting to show trends in the world that is port 443.  He recently released his May numbers showing a slow but mostly improving security environment.  I'm hoping he'll …

By Sparks, Category: Information Security

Continue reading …

256 Bits of Security

Thu 17 April 2014

This is an incomplete discussion of SSL/TLS authentication and encryption.  This post only goes into RSA and does not discuss DHE, PFS, elliptical, or other mechanisms.

In a previous post I created an 15,360-bit RSA key and timed how long it took to create the key.  Some may …

By Sparks, Category: Information Security

Continue reading …

Kicking RC4 out the door

Wed 13 November 2013

I've been arguing with my web hosting company about their use of RC4.  Like many enterprise networks they aren't consistent across all their servers with respect to available ciphers and such.  It appears that all customer servers support TLS_RSA_WITH_CAMELLIA_256_CBC_SHA and TLS_RSA_WITH_CAMELLIA …

By Sparks, Category: Information Security

Continue reading …

How secure are those SSL and SSH keys anyway?

Wed 30 October 2013

Thought I'd pass along this research study, The keys to the kingdom, as I found it to be quite interesting (especially when you scan the entire Internet for your data).  If you don't understand the math explanation at the beginning just continue reading as you don't need to have a …

By Sparks, Category: Information Security

Continue reading …

Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010

Mon 14 October 2013

Just ran across this article discussing how horrible the cipher preference list is in Android.  That's a lot of bad crypto on the streets right now.

Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010

By Sparks, Category: Information Security

Continue reading …

Trusting Trusted CAs

Wed 09 October 2013

Like it or not, the basis of trust for much of the Internet is based on Certificate Authorities (CA).  Companies like Verisign, GoDaddy, and GeoTrust are in the trust business.  They will sell you cryptographic proof of your Internet assets (namely your domain name) that others can use to verify …

By Sparks, Category: Information Security

Continue reading …

Encrypting SMS messages and phone calls on Android

Thu 21 March 2013

Much of our daily lives are contained within our smartphones and computers.  Email, text messages, and phone calls all contain bits and pieces of information that, in the wrong hands, could harm our privacy. Unfortunately many people either don't understand how vulnerable their data is when sent across the Internet …

By Sparks, Category: Information Security

Continue reading …

Hashing Algorithm: Is your GPG configuration secure?

Thu 21 February 2013

If your email messages are being signed using SHA-1 you may not be getting the security you think you are. Attacks on the hashing algorithm have caused much pain to those that use it.  Luckily SHA-2 is available and hopefully we'll start seeing SHA-3 out in the world soon.

You've …

By Sparks, Category: Information Security

Continue reading …

Password strength, more characters are better than complexity

Thu 26 July 2012

In a recent PBS Newshour article discussing the recent Yahoo! password list theft, a reference to a chart showing howshort passwords can still be secure was added to the story. The data and conclusions included in that chart were disturbing to me, to say the least.  While complexity does …

By Sparks, Category: Information Security

Continue reading …

Protecting your email from disclosure

Mon 07 December 2009

Climate talk, Alaska government business, and Dave Briggs. What do these three things have in common?  Each of these subjects had more light shown on them by someone cracking email messages and releasing those messages to the public over the Internet.  Of course there are many more of these events …

By Sparks, Category: Information Security

Continue reading …