where can i validate the CSP

  • Hi, first of all I would like to thank you for your plugin.

    It seems to have everything I need.
    However I would like to know where I can validate the generated CSP policy.
    Well, when scanning the site on the Mozilla site (https://observatory.mozilla.org/), it appears that only the “upgrade-insecure-requests” option is there as the whole policy.

    I would also like to know if you have considered the option of generating not nonces, but hashes for the styles.

    Thanks in advance,

    Regards

    The page I need help with: [log in to see the link]

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author Giuseppe

    (@mociofiletto)

    Did you enable protection?

    In your page, I see a CSP deployed, but it uses ‘unsafe-inline’, so it should have not been generated with this plugin.

    The use of hashes for external styles has been removed since v. 1.1.2 because CSP does not allow the use of ‘hash-value’ to allow external styles.

    Thread Starter cfontecha

    (@cfontecha)

    My apologies, I had disabled the plugin protection. I have it enabled again now.

    I have been building a policy manually, but the process with your plugin is much more helpful.

    Thread Starter cfontecha

    (@cfontecha)

    try again to create the CSP but it is still only upgrade-insecure-requests.

    What can I do in this case?

    Plugin Author Giuseppe

    (@mociofiletto)

    can you post a screenshot of the settings’ page? It seems you didn’t enable any relevant directive, but I can’t be sure

    Thread Starter cfontecha

    (@cfontecha)

    Thank you for your reply.

    These are all the settings options

    I don’t know if there is a configuration error.
    or if it is missing some kind of additional setting.

    Thank you in advance for your support and answer.

    Best regards

    Plugin Author Giuseppe

    (@mociofiletto)

    It is really weird. I will test this settings in a few days.

    The strange thing is that you have disabled upgrade-insecure-request in No unsafe-inline but this is the only value deployed by your CSP.

    Are you sure you are not deploying CSP via .haccess file or with another plugin?

    If you are using any cache plugin, can you try to temporary disable it?

    Thread Starter cfontecha

    (@cfontecha)

    Yes, it is a strange case, because as you mention, the upgrade-insecure-request option is disabled, yet it is the only one that appears in the CSP inspection.
    There is no CSP declared in the .htaccess and the only plugin I have tried to test on the site is this one. Additionally, it does not have any cache plugin.
    I am trying to purge the cache from the server.

    Plugin Author Giuseppe

    (@mociofiletto)

    Hi @cfontecha, I have run some tests, but I cannot reproduce the problem. It seems that your CSP policy is not set by No unsafe-inline. Can you try to temporary disable any cache / security etc.. plugins to see what happens?

    Can you read in No unsafe-inline log page if there is any error?

    Thread Starter cfontecha

    (@cfontecha)

    I’ve checked the log and can’t find anything.

    I have similarly disabled security plugins and cleared the server cache to no avail.

    However, when I activate Test policy with Content-Security-Policy-Report-Only, the policy appears in test mode.

    Plugin Author Giuseppe

    (@mociofiletto)

    In No unsafe-inline you “cannot” set both “Enable CSP Protection” ( = deploy a Content-Security-Policy header) and “Test policy with Content-Security-Policy-Report-Only” ( = deploy a Content-Security-Policy-Report-Only header).

    This confirms that you are deploying CSP by another way that is not No unsafe-inline.

    Maybe the CSP header is added by your provider or by your webserver. Please check that you don’t have an .htaccess file in your web-root directory that sets the CSP.

    Plugin Author Giuseppe

    (@mociofiletto)

    Two hints of what to check:

    https://docs.litespeedtech.com/lsws/security-headers/#add-via-webadmin-console

    https://support.hostinger.com/en/articles/2140906-what-to-do-if-a-website-shows-a-mixed-content-warning

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘where can i validate the CSP’ is closed to new replies.