How to set “Strict-Transport-Security”?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to set “Strict-Transport-Security”?

Jason Long
Hello,
For a website with the name "my-example.net", what is the correct syntax of:

Header set Content-Security-Policy "default-src 'self';"

?

Thank you.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to set “Strict-Transport-Security”?

Jim Albert
On 9/27/2020 2:50 AM, Jason Long wrote:

> Hello,
> For a website with the name "my-example.net", what is the correct syntax of:
>
> Header set Content-Security-Policy "default-src 'self';"
>
> ?
>
> Thank you.
>
>

Which header are you asking about?
Strict-Transport-Security (your email subject) - indicates to the
browser that the site should only be accessed via https. The browser
will make make future requests via https.
Content-Security-Policy (your email body) - sets a trust policy for
content on a given site.

Jim



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to set “Strict-Transport-Security”?

Jason Long
Header set Content-Security-Policy "default-src 'self';"

After it, some features of WordPress like menu disabled!







On Sunday, September 27, 2020, 05:29:51 PM GMT+3:30, Jim Albert <[hidden email]> wrote:





On 9/27/2020 2:50 AM, Jason Long wrote:

> Hello,
> For a website with the name "my-example.net", what is the correct syntax of:
>
> Header set Content-Security-Policy "default-src 'self';"
>
> ?
>
> Thank you.

>
>

Which header are you asking about?
Strict-Transport-Security (your email subject) - indicates to the
browser that the site should only be accessed via https. The browser
will make make future requests via https.
Content-Security-Policy (your email body) - sets a trust policy for
content on a given site.

Jim



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to set “Strict-Transport-Security”?

Jim Albert
On 9/28/2020 3:52 PM, Jason Long wrote:
> Header set Content-Security-Policy "default-src 'self';"
>
> After it, some features of WordPress like menu disabled!


You posted this same question about a week ago for which I responded. My
response is repeated below with some additional advice.

Use your browser's developer tools (usually F12) to view your console
errors and warnings. The console will tell you what content your CSP
might be blocking.
Until you have your CSP set properly you can use a report only CSP
header to report what's in violation of your CSP without actually
blocking it.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only 

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

That's about the best advice you are going to get.  You need to
understand the syntax of a Content Security Policy (CSP), what its
purpose is and how it can affect content of a web page.
Start with the links above.

The content you no longer see might come from a source not allowed by
your CSP. Your browser's dev tools console will confirm if that is true.

Jim

>
>
>
>
>
>
>
> On Sunday, September 27, 2020, 05:29:51 PM GMT+3:30, Jim Albert <[hidden email]> wrote:
>
>
>
>
>
> On 9/27/2020 2:50 AM, Jason Long wrote:
>
>> Hello,
>> For a website with the name "my-example.net", what is the correct syntax of:
>>
>> Header set Content-Security-Policy "default-src 'self';"
>>
>> ?
>>
>> Thank you.
>>
> Which header are you asking about?
> Strict-Transport-Security (your email subject) - indicates to the
> browser that the site should only be accessed via https. The browser
> will make make future requests via https.
> Content-Security-Policy (your email body) - sets a trust policy for
> content on a given site.
>
> Jim
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]