Opened 5 years ago
Last modified 5 years ago
#47788 new defect (bug)
send_headers hook does not work in wp-login or wp-admin
Reported by: | kysymysteke | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.2.2 |
Component: | Administration | Keywords: | 2nd-opinion has-patch |
Focuses: | administration, privacy | Cc: |
Description
Assume that I want to start using CSP (Content Security Policy) on my website. I add this to my theme's functions.php:
<?php add_action('send_headers', 'set_CSP_header'); function set_CSP_header() { $CSP = "Content-Security-Policy: default-src 'self';"; header($CSP); }
You would assume that this would add the CSP everywhere on the website, but that is not so. This does NOT add the CSP header to wp-login or wp-admin. Instead website admins have to use the 'login_init' and 'admin_init' hooks in addition to 'send_headers', to get CSP everywhere on the website.
This is unintuitive and seems like a bug to me.
Attachments (1)
Change History (4)
Note: See
TracTickets for help on using
tickets.
Replying to kysymysteke:
Hi @kysymysteke ,
Here is another option...
In my opinion the best way to add protection and security to a website is by using the .htaccess
From my understanding the most advised way of adding CSP to WordPress is by adding CSP rules to the .htaccess file, bear in mind that for this to work your web server must have the headers module activated. Add the code below to your .htaccess file.
This allows anything to be loaded from the website plus images from the specified domain (gravatar.com)
over http & https. Anything else will be blocked by your browser.
Anyhoo this then blocks loading of JavaScript, images or data from other trusted domains e.g plugins so you will need to approve trusted domains using 'unsafe-inline' . For instance say you want to use Google Analytics you add the code below:-
Adding CSP on your website will break your back-end so you need to add the following rules to the .htaccess file in the wp-admin folder.