Headers Security Advanced & HSTS WP

Datadog will monitor content security policy (CSP) violations and other security and performance metrics of your site.

You can find your Datadog API Key in the “API Keys” section under “Integrations” in the Datadog control panel. Once the plug-in is activated it performs a test (before and after): Manage CSP reporting with Datadog

Sentry will monitor and log content security policy (CSP) violations and other JavaScript exceptions that occur on your site.

1. Log in to your Sentry dashboard.
2. Click on the “Projects” menu item.
3. Select the project you have created.
4. Click on the gear icon to open project settings.
5. In the project settings, go to the “SDK SETUP” section.
6. Click on “Security Headers”.
7. Copy the automatically generated “REPORT URI” URL and paste it into the “CSP Report URI” field in the plugin settings. Example Sentry Report URI (e.g., https://<your_org>.sentry.io/api/<project_id>/security/?sentry_key=<key>).
8. The plugin will initialize Sentry and send CSP reports to Sentry.

Manage CSP reporting with Sentry

1. Log in to your Sentry dashboard.
2. Click on the “User Icon” at the top right of your screen.
3. Click “Settings”.
4. Add the domains you want to monitor to the “Monitored Domains” section on the settings page.
5. Click on “Security Headers”.
6. Copy the automatically generated “URIports” URL and paste it into the “CSP Report URI” field in the plugin settings. Example URIports Report URI (e.g., https://account-subdomain.uriports.com/reports).
7. The plugin will initialize URIports and send CSP reports to URIports.

Manage CSP reporting with URIports

I chose Sentry, URIports, Datadog, and Report URI for integration with this plugin because they are highly reputable and functional platforms in the field of security monitoring. Here’s a brief overview of each:

Sentry

Sentry is a well-known platform for monitoring and tracking errors and exceptions in applications. It provides comprehensive tools for logging and analyzing JavaScript errors, making it an excellent choice for monitoring Content Security Policy (CSP) violations. By integrating with Sentry, users can benefit from detailed error reports and proactive issue resolution.

Datadog

Datadog is a powerful platform for monitoring infrastructure, applications, and logs. It offers extensive capabilities for tracking security and performance metrics, including CSP violations. The integration with Datadog allows users to gain insights into the health and security of their websites, providing real-time monitoring and alerting features that are essential for maintaining a secure and performant environment.

Report URI

Report URI is a dedicated service for collecting and analyzing security violation reports, including CSP, HPKP, and other security headers. It is designed specifically to handle large volumes of security reports and provide detailed analytics and visualizations. By using Report URI, users can easily monitor and analyze CSP violations, helping them to quickly identify and mitigate potential security threats.

Each of these platforms offers unique strengths and capabilities, making them ideal choices for comprehensive security monitoring and reporting. By integrating with these well-established services, we aim to provide users with reliable and effective tools to enhance the security of their WordPress websites.

URIports

URIports is a well-known platform for monitoring and tracking errors and exceptions in applications. It provides comprehensive tools for logging and analyzing JavaScript errors, making it an excellent choice for monitoring Content Security Policy (CSP) violations. By integrating with URIports, users can benefit from detailed error reports and proactive issue resolution.

Yes, all CSP reports will be sent to Sentry, where you can view and analyze them in the Sentry control panel.

To earn an A+ grade, your site must issue all HTTP response headers that we check. This indicates a high level of commitment to improving the security of your visitors.

Over an HTTP connection we get Content-Security-Policy, X-Content-Type-Options, X-Frame-Options and X-XSS-Protection. Via an HTTPS connection, 2 additional headers are checked for presence which are Strict-Transport-Security and Public-Key-Pins.

• Once the plug-in is activated it performs a test (before and after): https://securityheaders.com/

No, Headers Security Advanced & HSTS WP is Fast, Secure and does not affect the SEO and speed of your website.

It was created as a solution to force the browser to use secure connections when a site is running on HTTPS. It is a security header that is added to the web server and reflected in the response header as Strict-Transport-Security. HSTS is important because it addresses the following anomalies:

This step is important to submit your website and/or domain to an approved HSTS list. Google officially compiles this list and it is used by Chrome, Firefox, Opera, Safari, IE11 and Edge. You can forward your site to the official HSTS preload directory. (‘https://hstspreload.org/’)

If you want to use Preload HSTS for your site, there are a few requirements before you can activate it.

• Have a valid SSL certificate. You can’t do any of this anyway without it.
• You must redirect all HTTP traffic to HTTPS (recommended via permanent 301 redirects). This means that your site should be HTTPS only.
• You need to serve all subdomains in HTTPS as well. If you have subdomains, you will need an SSL certificate.

The HSTS header on your base domain (for example: example.com) is already configured you just need to activate the plug-in.

If you want to check the HSTS status of your site, you can do so here: https://hstspreload.org/

You can report bugs or request new features right support@openheaders[dot]org

FLoC is a mega tracker that monitors user activity on all sites, stores the information in the browser, and then uses machine learning to place users into cohorts with similar interests. This way, advertisers can target groups of people with similar interests. Plus, according to Google’s own testing, FLoC achieves at least 95% more conversions than cookies.

Scott Helme reported that as of May 3, already 967 of the first 1 million domains had disabled FLoC’s interest-cohort in their Permissions-Policy header. That list included some big sites like The Guardian and IKEA.

Are you experiencing any anomalies after a plugin update? If yes, please follow these instructions: clear the cache directly to the CloudFlare Client Area

• Log in to your Cloudflare dashboard, and select your account and domain.
• Select Caching > Configuration.
• Under Cache Purge, select Custom Purge. The custom purge window will be displayed.
• Under Purge by, select URL.
• Enter the appropriate values in the text field using the format shown in the example.
• Run through the additional instructions to complete the form.
• Review the data entered.
• Click Delete.

This will cause the cloudFlare

When writing your CSP directives in the plugin settings, please follow these rules to avoid invalid configurations:

1. Always use single quotes ' for CSP keywords

CSP keywords must always use straight ASCII single quotes:

• ‘self’
• ‘none’
• ‘unsafe-inline’
• ‘unsafe-eval’
• ‘strict-dynamic’

These are required by the CSP specification.

2. Never use double quotes " inside the CSP

Double quotes are used only outside the policy (for example by Apache when setting headers), not inside the CSP syntax.
Using double quotes inside the policy may break the .htaccess configuration.

3. Do not use “smart quotes” or curly quotes (‘ ’ “ ”)

Smart quotes often appear when copying text from Word, Google Docs, PDFs, email clients, or mobile keyboards. These characters are invalid in CSP and may cause the browser to reject the policy or Apache to return HTTP 500 errors.

The plugin automatically converts smart quotes to standard quotes, but it is recommended to avoid them when writing your policy.

5. What happens if a user enters an invalid CSP?

Starting from version 5.2.4, the plugin automatically:
– Normalizes curly quotes to ASCII quotes
– Replaces invalid double quotes inside the CSP
– Prevents malformed CSP syntax from breaking .htaccess
– Falls back to the built-in default CSP if the input is clearly invalid

This ensures that even incorrect CSP input will not cause the site to crash.