Adding CSP header to site

Someone pointed me to https://securityheaders.io/ previously and after running my site through it, I decided to implement a whole bunch of security changes, including adding a Content-Security-Policy header.

For those not familiar with CSP, it is an effective means of combatting XSS attacks that is further described here.

To work out the right combination of CSP headers, I basically:

  • Add/modify headers
  • Open up Firefox and Chrome debug consoles (especially security logs)
  • Reload the page
  • See errors and guess at what values are needed to fix them
  • Go to top of list

The Chrome security logging was more informative than that of Firefox and its CSP validation seems more thorough.

Finally, after a lot of trial and error and reading of documentation (in particular, this OWASP guide was awesome) I arrived at:

Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self'; font-src 'self' data: https://fonts.gstatic.com:443; img-src 'self' data: https://secure.gravatar.com:443; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com:443"

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.