Content Security Policy and WordPress

Sun 14 January 2018

For your protection, I've been working on securing this website with all the proper security HTTP headers. Of course, by running WordPress as the backend, I'm making it easy to manage all the data but making it difficult to manage all the pieces and parts of the system's backend. The largest problem I've found are the many inline javascript and inline CSS scripts that are in WordPress Core.

So far I've added the easy headers: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and Referrer-Policy. The complicated one, at least for sites using WordPress, is the Content-Security-Policy. Unfortunately, the Content-Security-Policy is the best protection against XSS attacks.  As I pointed out above, WordPress uses several inline scripts and CSS instructions.  This means that I'd have to use "unsafe-inline" when describing what is allowed for scripts and styles.  Unfortunately, adding that negates much of the protections offered by the policy.

There is a way around doing this while still allowing inline scripts: using a nonce. Of course this isn't really possible with code that one doesn't directly control, like the WordPress Core.  I did, however, find a potential fix that may be forthcoming that I'll be monitoring.  This enhancement would allow for a plug-in to add a nonce to these scripts, thus allowing a Content-Security-Policy to be defined to allow those specific scripts.  Until then, I'll have to leave this site somewhat unprotected like many (most?) websites are today.

By Sparks, Category: Information Security

Tags: Content Security Policy / HTTP Headers / FOSS & Open Source / Integrity / Security / Wordpress /

Other articles

A response to 'Strong Encryption and Death'

Fri 20 January 2017

I recently read an article on the TriLUG blog mirror discussing access to data after the death of the owner. I've also given this a lot of thought as well and had previously come to the same conclusion as the original author of the article has:

"I created a file …

By Sparks, Category: Computers

Continue reading …

CERN cares about information security... what about you?

Sun 08 March 2015

As a security engineer it's usually difficult for me to endure many of dumb things companies do.  It's quite sad when a company that prides itself on creating solutions for building internal solutions to protect customer data actually starts pushing its own data out to Google and other "solution" providers …

By Sparks, Category: Computers

Continue reading …

Automated configuration analysis for Mozilla's TLS guidelines

Thu 09 October 2014

My friend Hubert has been doing a lot of work to make better the world a little safer.  Glad he's getting some recognition.  Here's a great article on testing your server for proper SSL/TLS configurations.

By Sparks, Category: Radio

Continue reading …

Generating a PGP key using GnuPG

Mon 16 June 2014

Generating a PGP using GnuPG (GPG) is quite simple.  The following shows my recommendations for generating a PGP key today.

$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY …

By Sparks, Category: Information Security

Continue reading …

SFGate: If You Send To Gmail, You Have 'No Legitimate Expectation Of Privacy'

Thu 15 August 2013

SFGate: If You Send To Gmail, You Have 'No Legitimate Expectation Of Privacy'

Not that this is really news but if you hand your message to a third-party for delivery you have no expectation of privacy.  Agree with it or not that's the way it is inside the United States …

By Sparks, Category: Information Security

Continue reading …

Tor and HTTPS

Wed 17 July 2013

Tor and HTTPS

An excellent description of how Tor and HTTPS can help protect your online privacy and secure your web communications.

By Sparks, Category: Information Security

Continue reading …

Encrypting SMS messages and phone calls on Android

Thu 21 March 2013

Much of our daily lives are contained within our smartphones and computers.  Email, text messages, and phone calls all contain bits and pieces of information that, in the wrong hands, could harm our privacy. Unfortunately many people either don't understand how vulnerable their data is when sent across the Internet …

By Sparks, Category: Information Security

Continue reading …

Securing Instant Messaging

Tue 26 May 2009

More and more sensitive communications are occurring over unsecure instant messaging (IM) systems. These messages go through a third-party and can be read anywhere along the way. An easy, open-source solution does exist to help protect these communications, however.

First you need the IM client called Pidgin. This client works …

By Sparks, Category: Information Security

Continue reading …