Sea SP-Community Edition is an automated Content Security Policy manger that first installs a strict Sea SP-Community Edition is an automated Content Security Policy manger. A Content Security Policy (CSP) is a browser security standard that controls what domains, subdomains, and types of resources a browser can load on a given web page. It is implemented via an HTTP header, but a CSP can also be placed on a web page using a tag. CSPs are compatible with most modern desktop and mobile browsers, including Chrome, Firefox, Internet Explorer, Edge, Opera, and Safari. CSP’s are used to detect and prevent certain types of attacks including form jacking and cross-site scripting, browser hijacking and ad injection, as well as unauthorized piggyback tags.
The WordPress SeaSP Community Edition was created to help quickly document what domains your site is using, so you can categorize and filter out any unwanted domains. First SeaSP installs a strict non-blocking CSP to collect violation data. The violation data is stored in the WordPress database as a php option within the plugin options schema.
Using the SeaSP Community Edition plugin, the violations can approved by domains and categorized by directives (CSS, fonts, images, JS, etc.). Base domains and subdomains can also be approved. The SeaSP UI helps users by explaining what each directive does, and how they can be used to create a CSP.
Once the domain and directive settings are configured as needed, the CSP can be updated to blocking mode. Once the CSP is put into blocking mode, the site is protected from any unrecognized code. Helping you secure your site and protect your bounty.
Once installed a strict non-blocking CSP is implemented on your site visit each page of your site to collect CSP violations for each of those pages.
Visit the Current Violations page of the plugin to review domains that have violated a directive in the CSP.
Review each of the domains carefully and check for misspellings of common domains like adobee.com instead of adobe.com as this is a common way hackers inject content into your site.
If you feel confident that the domain belongs on your site and it should be serving the file type stated, click the toggle to approve the domain and include it in the CSP.
If you want to allow subdomains of that domain to be able to serve that type of content, click the include subdomains toggle.
To learn more about the directive that was violated click the blue Directive button.
After this process you might still see CSP violations regarding inline scripts, inline styles, blobs, or data.
To allow these this type of content in the community version you must navigate to the Directive Settings page, find the offending directive and toggle the appropriate option.
For convenience, each option has a tool tip explaining what it allows in your CSP.
A walk through video can be found on You Tube here
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
This project has been tested on WordPress up to version 5.4 on both single and multi-site instances.
The project can be found on github
This project is sponsored by Blue Triangle