429 Too Many Requests

hans410947
(@hans410947)

5 months, 2 weeks ago

Hello and thank you for offering this great plugin!

Sorry if I have missed something and is asking stupid questions, but: I installed the plugin, but I can not see many options to enable/disable.

For example:

-How can I put the CSP in read-only mode, and where do I enter any whitelisted items to the CSP when I enforce it?

-For the permissions policy, there is a textbox with many entries, like: accelerometer=(), autoplay=(), camera=(). How should I use this box? Should I write something between the brackets (), and which options can I choose between?

-In the plugin description at wordpress.org, there is a long list of features. But after installing the plugin, I can only see 3 features: HSTS, CSP and Permissions policy. Where can I find the other features?

Again, sorry if these are stupid questions, but I just don´t understand how to access the features of the plugin.

Thank you!

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author Andrea Ferro
(@unicorn03)

5 months ago
Hi @hans410947,

Sorry for the delay in replying but I didn’t receive the notification of your request from WordPress in my email.

Thank you for your kind words and for using Headers Security Advanced & HSTS WP! Let me clarify your questions and provide you with all the necessary information:

Content Security Policy (CSP) in Read-Only Mode & Whitelisted Items
The plugin allows you to define and enforce a CSP policy. While the interface is streamlined, we have pre-tested and verified common use cases with CSP. Below is a list of popular and tested configurations, compatible with the plugin:
- Google Tag Manager
- Gravatar (WordPress avatars)
- YouTube Embedded Video SDK
- Google Fonts
- Facebook SDK
- Stripe (payments)
- Google Analytics
  …and many more!
For a full list, check the description provided in this thread. If your requirements go beyond these, you can easily add custom CSP directives. Simply edit the CSP policy in the provided textbox and include additional sources as needed.

Permissions Policy (Textbox Usage)
The textbox for the Permissions Policy is flexible. For each feature (e.g., accelerometer, autoplay, camera), you can define specific permissions. Examples include:
- accelerometer=("*") → Enables the feature for all origins.
- camera=("https://example.com") → Restricts access to the specified origin.
- geolocation=() → Disables geolocation.
You can specify multiple values separated by commas. For detailed options, refer to the Permissions Policy documentation.

To implement very strict CSP rules, I have compiled a list of tools that I use that are very useful for those who have little experience or want to use a tool that is useful to me
- Check CSP test website csper.io/evaluator
- Check CSP Evaluator csp-evaluator.withgoogle.com
- CSP Content Security Policy Generator addons.mozilla.org
Features in the plugin
The three key features (HSTS, CSP, Permissions Policy) cover the majority of modern security needs. However, some features mentioned in the description (like advanced CSP presets) may require manual customization or are applied implicitly for compatibility. I have kept the interface complete and automatic to ensure ease of use. If you have suggestions for additional options, please feel free to share them!

I hope this clarifies everything. If you have further questions or suggestions, don’t hesitate to ask. Your feedback is invaluable!
Thread Starter hans410947
(@hans410947)

4 months, 3 weeks ago
Hello @unicorn03 and thank you for the explanation!

I wanted to ask about the CSP report-only/enforced modes.

I am new to this, but I thought I was supposed to first put the CSP in report-only mode for a couple of weeks, and after that I should enforce the CSP.

Is this correct?

Where can I find the setting for choosing either report-only or enforced mode?

Thank you!
- This reply was modified 4 months, 3 weeks ago by hans410947.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.