Hi guys,
sorry for my noobie question but I’ve been trying to enable CSP and No reefer for days now and no success.
My setup is WP/Bluehost/Cloudflare. I have the SSL enabled but would like to continue with the other security options.
What is the best way to do it?
I tried plugins and the access files but that crashed my WP. I also read about the workers here in Cloudflare, but that is rocket science for me.
Any other path?
Thanks a bunch.
If Scott Helme’s instructions don’t work, try the HTTP Headers plugin.
Thanks, I tried the plugin and it works like a charm for no reefer.
However the CSP is giving me headaches, I crashed my wp-admin page again.
I understand that there are no general settings as it depends on the website. So, any idea how should I cnfigure it for https://cogniarchae.com?
Ah, yes. wp-admin. I use Workers and a variation of the Scott Helme script to turn OFF most of my CSP because I’m pretty safe in wp-admin. I saved the following as a Worker called “security_header”, then assigned it to a route in my domain: example.com/wp-admin/*
let securityHeaders = {
"Content-Security-Policy" : "upgrade-insecure-requests",
"Strict-Transport-Security" : "max-age=1000",
"X-Xss-Protection" : "1; mode=block",
"X-Frame-Options" : "sameorigin",
"X-Content-Type-Options" : "nosniff",
"Referrer-Policy" : "strict-origin-when-cross-origin",
"Feature-Policy" : "camera 'none'; geolocation 'none'; microphone 'none'",
}
let sanitiseHeaders = {
"Server" : "CSP",
}
let removeHeaders = [
"Public-Key-Pins",
"X-Powered-By",
"X-AspNet-Version",
"Content-Security-Policy-Report-Only",
"Content-Security-Policy"
]
addEventListener('fetch', event => {
event.respondWith(addHeaders(event.request))
})
async function addHeaders(req) {
let response = await fetch(req)
let newHdrs = new Headers(response.headers)
if (newHdrs.has("Content-Type") && !newHdrs.get("Content-Type").includes("text/html")) {
return new Response(response.body , {
status: response.status,
statusText: response.statusText,
headers: newHdrs
})
}
let setHeaders = Object.assign({}, securityHeaders, sanitiseHeaders)
Object.keys(setHeaders).forEach(name => {
newHdrs.set(name, setHeaders[name]);
})
removeHeaders.forEach(name => {
newHdrs.delete(name)
})
return new Response(response.body , {
status: response.status,
statusText: response.statusText,
headers: newHdrs
})
}
Thank you, I never knew of workers before joining Cloudlare, and since I have no experience in coding I prefer not to take any more risks… I guess I will have to find some freelancer to do this one for me.
This topic was automatically closed after 30 days. New replies are no longer allowed.