WordPress and CSP – Content Security Policy (lang: SR)

CSP is a header that is part of the HTTP response that the web site sends to the user and defines a set of rules for browsers and determines where the web site can load content (images, scripts, styles …) and which content is allowed to execute. Correctly set CSP protects users and data from XSS (cross-site scripting) types of attacks and data modification that are presented to the user. The CSP specification includes reports that search engines generate and which contain information on CSP offenses.

The lecture describes the basics of CSP including suggestions for correctly adjusting a large number of rules that the CSP can contain, as well as WordPress specificity with a special emphasis on constraints (especially for JavaScript that is part of HTML content) and different implementation approaches. In addition, a few minutes will be dedicated to additional HTTP headers related to security.

For this lecture, I created a free (GPL) plugin that is located on WordPress.org: https://wordpress.org/plugins/gd-security-headers/ and which allows setting up CSPs as well as several other HTTP headers to which the security of the website and users increases. The plugin can also receive reports generated by CSP search engines.

Speaker