CSP content security policy
-
Hi Alec!
Thank you for providing this plugin.
Recently I increased the security of my webiste by deploying a CSP. Later discovered that the videos with protected-video stop showing. The thumbnail appears but the connection gets freeze. Youtube link without the protected-video while pull the video properly.
I would like to mantain protected-video and also CSP. Maybe this is out of your scope. But could you please see bellow and see what may be blocking Protected-video.
My guess is that may be some value on one of these sections:
# X Frame Options
# Permissions Policy (rudimentary policies supported by chrome and FF)
# Content Security Policy (CSP – quite lax WP 6.4 compatible policies)
Thank you for any guidance you may provide.### BEGIN WP 6.4 Security - LSE ## Automatic 301 redirect to https <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTPS} !=on [NC] RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] </IfModule> ## Additional security headers <ifModule mod_headers.c> # X Frame Options Header always set X-Frame-Options "SAMEORIGIN" # X XSS-Protection disabling (deprecated) Header set X-XSS-Protection "0" # X Content-Type-Options Header set X-Content-Type-Options "nosniff" # X Permitted Cross Domain Policies Header set X-Permitted-Cross-Domain-Policies "none" # X-Powered-By and Server Header unset X-Powered-By Header unset Server # Referrer Policy Header set Referrer-Policy "strict-origin-when-cross-origin" ## Advanced policies - basic implementation # Permissions Policy (rudimentary policies supported by chrome and FF) Header set Permissions-Policy "autoplay=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), midi=(self), payment=(self), microphone=(), camera=()" # Content Security Policy (CSP - quite lax WP 6.4 compatible policies) Header set Content-Security-Policy "default-src 'self'; object-src 'none'; script-src 'self' https: data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https:; style-src 'self' https: 'unsafe-inline'; font-src 'self' data: https:; img-src 'self' blob: data: https:; frame-src 'self' https: blob:; form-action 'self';" </IfModule> ## ForceSecureCookie (LiteSpeed Set Cookie HTTPOnly Secure alternative) <IfModule LiteSpeed> ForceSecureCookie same_site_strict </IfModule> ### END Improved Site Security
- The topic ‘CSP content security policy’ is closed to new replies.