WP is not ready for CSP

A Content Security Policy (CSP) relies on code headers to help prevent cross site scripting and other malware, providing a great addition to a layered security approach. I think of it as a reverse firewall. It tells browsers exactly what content should be accepted from my site. All other content – malware for example – should be rejected. So, it doesn’t protect my site. But if my site gets infected, it can prevent the infection from spreading.

WP is not ready for CSP

A correct CSP is a really good thing, adding to interweb safety. So, why do almost no websites – something incredibly small like 1% of 1% – have a CSP? Partly because it is not very well known yet, but also because it is really complicated to create a correct one. It is much more likely that I will screw up my WP site and deliver false errors to my visitors than it is that my CSP will work properly.

If I create a flat HTML website, and code it myself, so I know the code really well, inside and out, I have a good chance of being able to create a correct CSP. But WP, like any content management system, intentionally obfuscates the code details. Themes and plugins – unless I spend many hours to really study and understand the code – are black boxes by design.

The WP Content Security Policy plugin is an ambitious attempt to solve the challenges of implementing CSP on WP. It is really cool. I tried it out and wanted very much to love it. It resolves the problem of code obfuscation by letting me create a bare-bones CSP then add to it over time. It logs CSP errors so that I can examine them and tweak my CSP to eliminate the false errors.

The problem? The plugin relies on the WP REST API to log CSP errors. I use the excellent Disable WP REST API plugin by Jeff Starr of Perishable Press to substantially reduce hacker attack vectors that the REST API opens. I have to choose between no-CSP security risks vs. REST API security risks. I choose to leave REST API disabled, and forgo – for now – the benefits of CSP.

 

WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.