Blog

Everything I post up from the staples, design, photo and video to plenty of smaller projects and ideas that won’t make the main pages of the portfolio or other things I’m trying out.

Content Security Policy

I’ve been doing some work on CSP’s to make sure my Observatory scores are nice and high. These are pretty basic notes but the documentation is weird for this and it took me longer than it should have.

There’s a couple things more than the MDN docs I’ve learnt along the way. As a bunch of this doesn’t seem to be easily found together in documentation.

Gatsby

Start with the gatsby-plugin-csp but then also add the gatsby-plugin-netlify

The way Gatsby deals with images there is no way to get inlines out of the CSP

WordPress

Theres a little problem here with having inline scripts makes the CSP considerably weaker but that’s also how the editor works so I’ve been adding what I can to the .htaccess file and then some more through the meta tag in the themes header.php file

.htaccess file

The CSP needs to be wrapped in this if statement

<IfModule mod_headers.c>
    Content-Security-Policy "default-src 'self';
</IfModule>

multi line blocks need line breaks with slashes like these that are not needed in the meta tag

Header set Content-Security-Policy: "default-src 'self'; \
style-src 'self' 'unsafe-inline'; \
font-src 'self' ;"

Jetpack

When dealing with a theme using jetpack theres an inline script on every page that’s easy to grab and throw the hash into the script-src on either Edge or Chrome writing it out for you in the console.

Reports

In the .htaccess file add the line

report-uri /csp-violation-report-endpoint.php

This is referencing the root of the site beside the .htaccess file I’ve been adapting on the file here


Explore Content Security Policy