Block XSS vulnerabilities by adding a Content Security Policy header, plugin receives violations to easily maintain the security policy.

Dylan

Content Security Policy (CSP) is a W3C guideline to prevent cross-site scripting (XSS) and related attacks. XSS allows other people to run scripts on your site, making it no 
longer your application running on your site, and opens your whole domain to attack due to “Same-Origin Policy” – XSS anywhere on your domain is XSS everywhere on your domain. (see https://www.youtube.com/watch?v=WljJ5guzcLs)
CSP tells your browser to push least-privilege environment on your application, allowing the client to only use resources from trusted domains and block all resources from anywhere else.
Adding CSP to your site will protect your visitors from:
<ul>
<li>Cross-site scripting (XSS) attacks</li>
<li>Adware and Spyware while on your site</li>
</ul>
This plugin will help you set your CSP settings and will add them to the page the visitor requested. Policy violations will be logged in a database table which can be viewed via an admin page that supplies all the violations, along with counts. Buttons easily allow you to add the sites to your headers or to ignore them.
This plugin also allows you to ignore sites that repeatedly violate your policies. For example, some tracking images will show as violating your policies, but you still don’t want them to run, therefore you can block the site from showing up in your logs – note, however, that the browser will still call your server and your server will still spend resources processing the call.
In addition, this plugin can help you to get on the HSTS Preload list – See https://hstspreload.org/ for details.
<h4>CSP Directives</h4>
CSP allows you to control where your visitors’ browser can run code from.
The W3C specification allows for the following directives:
<ul>
<li>
default-src 
The default-src is the default policy for loading content. If another setting is blank then this setting will be used.
</li>
<li>
script-src 
Defines valid sources of JavaScript.
</li>
<li>
style-src 
Defines valid sources of stylesheets.
</li>
<li>
img-src 
Defines valid sources of images.
</li>
<li>
connect-src 
Applies to XMLHttpRequest (AJAX), WebSocket or EventSource.
</li>
<li>
manifest-src 
Specifies which manifest can be applied to the resource
</li>
<li>
worker-src 
Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
</li>
<li>
font-src 
Defines valid sources of fonts.
</li>
<li>
object-src 
Defines valid sources of plugins. Stops your site becoming the source of drive-by attacks.
</li>
<li>
media-src 
Defines valid sources of audio and video.
</li>
<li>
base-uri 
Limit the values that can be used in the entry.
</li>
<li>
frame-src 
Defines valid sources for loading frames.
</li>
<li>
sandbox 
Enables a sandbox for the requested resource similar to the iframe sandbox attribute.
</li>
<li>
form-action 
The form-action restricts which URLs can be used as the action of HTML form elements.
</li>
<li>
frame-ancestors 
Whether to allow embedding the resource using a frame, iframe, object, embed, etc. in non-HTML resources.
</li>
<li>
plugin-types 
Restricts the set of plugins that can be invoked by limiting the types of resources that can be embedded.
</li>
<li>
report-uri 
URL to post information on violations of the policies you set.
</li>
<li>
require-sri-for 
Require integrity check for scripts and/or styles.
</li>
</ul>
<h4>CSP Entry Syntax</h4>
Note – with version 3 of the CSP specification there has been a move to ‘strict-dynamic’ – see the Upgrade Notice section for more information.
Each directive can take one or more of the following values:
<ul>
<li>
* 
Allows loading resources from any source.
</li>
<li>
‘none’ 
Blocks loading resources from all sources. The single quotes are required.
</li>
<li>
‘self’ 
Refers to your own host. The single quotes are required.
</li>
<li>
‘unsafe-inline’ 
Allows inline elements, such as functions in script tags, onclicks, etc. The single quotes are required.
</li>
<li>
‘unsafe-eval’ 
Allows unsafe dynamic code evaluation such as JavaScript eval(). The single quotes are required.
</li>
<li>
‘strict-dynamic’ 
The trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. The single quotes are required.
</li>
<li>
‘sha-AAAAAAAAA’ 
For scripts and styles that can’t take a nonce the browser will tell you a ‘sha-‘ value you can use. The single quotes are required.
</li>
<li>
‘nonce-AAAAAAAAA’ 
The trust nonce value – this value is automatically generated per page refresh and should not be entered by the user. The single quotes are required.
</li>
<li>
data: 
Allow loading resources from data scheme – usually inline images. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
</li>
<li>
mediastream: 
Allows mediastream: URIs to be used as a content source.
</li>
<li>
filesystem: 
Allow loading resource from file system.
</li>
<li>
https: 
Only allows loading resources from HTTPS: on any domain. This can be used to block insecure requests.
</li>
<li>
www.example.com 
Allow loading resources from this domain, using any scheme (http/https)
</li>
<li>
*.example.com 
Allow loading resourcs from any subdomain under example.com, using any scheme (http/https)
</li>
<li>
http://www.example.com 
Allows loading resources from this domain using this scheme.
</li>
<li>
/path/to/file/ 
Allows loading any file from this path on this domain.
</li>
<li>
/path/to/file/thefile 
Allows loading this one file on this domain.
</li>
</ul>
<h4>Security Headers</h4>
In addition to the CSP headers, there are other security headers supported, including:
<ul>
<li>
Expect-CT 
Instructs user agents (browsers) to expect valid Signed Certificate Timestamps (SCTs) to be served.
</li>
<li>
Strict Transport Security 
The HTTP Strict-Transport-Security response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
</li>
<li>
X-Frame-Options 
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
</li>
<li>
X-XSS-Protection 
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript (‘unsafe-inline’), they can still provide protections for users of older web browsers that don’t yet support CSP.
</li>
<li>
X-Content-Type-Options 
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.
</li>
<li>
Referrer-Policy 
The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.
</li>
</ul>
<h3>Written By</h3>
This plugin was written by Dylan Downhill, CDO of <a href="https://www.elixirinteractive.com/" rel="nofollow ugc">Elixir Interactive</a> .

WP Content Security Plugin

This plugin was implemented on one of our sites as we needed a CSP. None of the team really knew what one was until I was recommended this plugin. 

It's great. Really great, and highly recommended in helping you get a handle on CSP's

Alternatives to WP Content Security Plugin

Top alternatives