gd-security-headers

It’s the best plug-in for setting security headers that I found so far. Easy set-up, good explanations.But what really stands out is the local reporting feature! Thank you very much!

Easy to install and relatively easy to configure.I only want to set CSP rules and it lets me do that easily, having the shortcuts for common rules such as Google Analytics etc is useful.The report-only features is clear and easy to use when starting to add rules and you need to gather a list of them.If had had one feature request it would be for the plugin to show an estimated header size.. I sometimes trip header size limits on a server when I need to add a lot of rules. If it coudl detect the server limit and warn if getting close – that’d be nice.All in all good plugin. Really dont know why some people only gave it 1 star, I can only assume they made mistakes configuring it.

A+ on headers scan, thank you for your work 🙂

Thank you!

There are a lot mistakes in the generated Content-Security-Policy statement. It fails to insert the blob and data directives. It adds a semicolon and double quote at the end of the line that shouldn’t be there. The only thing this plugin is really good for is the report page.

The Content-Security-Policy directive ‘script-src’ contains ‘script-src’ as a source expression. Did you want to add it as a directive and forget a semicolon? The Content-Security-Policy directive name ‘widget.gleamjs.io’ contains one or more invalid characters. Only ASCII alphanumeric characters or dashes ‘-‘ are allowed in directive names. The Content-Security-Policy directive name ‘www.googletagservices.com’ contains one or more invalid characters. Only ASCII alphanumeric characters or dashes ‘-‘ are allowed in directive names. etc etc etc