Support

Admin Tools for WordPress

#36950 CSP in Admin Tools Professional?

Posted in ‘Admin Tools for WordPress’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

WordPress version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 14 April 2022 01:32 CDT

DRI

Any plans on adding a Content Security Policy generator into Admin Tools Pro, maybe as part of the .htaccess generator? It would be a really nice feature. I don't mind doing it by hand directly in the server configuration, but I like our other site admins that are only familiar with WordPress to have one place to look for rules and settings. Thank you!

nicholas
Akeeba Staff
Manager

Absolutely and categorically not.

Writing an effective set of Content-Security-Policy headers requires deep knowledge of every aspect of your site. You need to know for each and every page of your site and each and every application state which inline script, script file, embedded script in included HTML / SVG / etc, static media files, fonts, IFrames, manifests, embedded objects, prefetch URIs etc are used.

This very nature of CSP makes it impossible to provide reasonable support. Had the client already collected the information we need to support them they wouldn't need us to provide support. Having us collect that information costs two orders of magnitude the net profit of a subscription. We've had software with this kind of loss leader support once (Akeeba Subscriptions); we discontinued it within a few short months after it almost destroyed the company. I am not doing that mistake twice.

What we do is allow you to provide whatever custom .htaccess code you want in the .htaccess Maker. You want to add Content-Security-Policy headers? Go ahead and put them there, but it's up to you to write and maintain them.

If you don't think you can do that yourself you shouldn't be using CSP β€” manually or automatically generated alike β€” because by definition you will not understand how it works, how it will break your site and what you will need to do to fix it. This is okay and expected. Writing and maintaining effective CSP requires deep understanding of how your site works and how servers and browsers work, including some arcane details. It's a tool for systems administrators, not end users. It's not even necessary for the vast majority of sites. The sites which need CSP also have the budget for a full time systems administration team which can maintain it.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!