Using security response headers with WordPress

I’ve added several security headers to my blog today. The first part was easy: I’ve created a .htaccess file in my blog’s root directory with the following content:

Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options DENY
Header set X-Content-Type-Options "nosniff"
Header set Strict-Transport-Security "max-age=31556926"
Header set Cache-Control "no-store, no-cache, must-revalidate"

Only one header was missing: Content Security Policy (CSP). The header itself was easy to add, but caused some problems at first:

Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options DENY
Header set X-Content-Type-Options "nosniff"
Header set Strict-Transport-Security "max-age=31556926"
Header set Cache-Control "no-store, no-cache, must-revalidate"
Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com; frame-ancestors 'none'"

This works perfectly for the pages you can access, but totally breaks the admin pages. There are way too many JavaScript files consumed from other domains. And a lot of these pages contain unsafe inline JavaScript, which would force me to add ‘unsafe-inline’ to the policy. And with that value not much security is left. Fortunately, I’m talking about the admin area, which is only accessible by myself. So instead of creating a new policy in the wp-admin folder that would more or less allow anything, I’ve decided to deactivate it completely in this area by creating a .htaccess file in this folder with the following content:

Header unset Content-Security-Policy

The Content Security Policy header is great, but this is a typical example for problems with older (I don’t wanna say legacy in this case) applications or application parts you don’t have under control.

But anyway, all security relevant headers are returned in my blog now. Please report any problems you might discover.


Posted

in

by

Tags: