Content security policy inclusions when using this plugin?

  • Resolved danrancan

    (@danrancan)


    1 year ago

    Hi, I am trying to create a strict Content Security Policy (Header) in my Nginx configuration, and I want to be sure that any outside sources that this plugin uses are included in my policy.

    In my Nginx virtual hosts server block, I am starting off with the following strict Content Security Policy:

    add_header Content-Security-Policy "default-src 'self';

    Is there anything that this plugin uses that isn’t included in ‘self’, that would need to be included in a strict content security policy header?

    If so, could you please tell me what else I need to include in my Nginx header (specifying img-src rules, style-src rules, script-src rules, connect-src rules, and any other etc-src etc-src rules to keep a strict CSP while still allowing this plugin to be fully functional? Thanks so much for any help!

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Author Christopher Finke

    (@cfinke)

    1 year ago

    The Akismet plugin only loads JavaScript and CSS that are shipped with the plugin, so self should be fine for those (specifically, the files in the _inc directory).

    There is a stats iframe that loads from the domain tools.akismet.com, so if you want access to that, you should include frame-src https://tools.akismet.com/

Viewing 1 replies (of 1 total)
  • The topic ‘Content security policy inclusions when using this plugin?’ is closed to new replies.