內容簡介
SeaSP社群版是一個自動化的內容安全性政策管理器。SeaSP允許您為您的網站創建、配置、管理和部署內容安全政策。
WordPress SeaSP社群版外掛會記錄出現在您網站上的域名。對域名進行分類和過濾。添加一層WordPress安全性,以保護您的WordPress網站免受Magecart等跨站腳本攻擊。
SeaSP安裝一個嚴格的非阻塞CSP來收集違規數據並提供違規報告。違規數據流入WordPress數據庫,作為外掛程式選項模式中的PHP選項。違規可以根據指令(CSS、字體、圖像、JS等)按域名和類別進行批准。您還可以批准基本域和子域。SeaSP UI通過解釋每個指令的作用以及如何使用它們來創建CSP來幫助用戶。
在配置域名和指令設置之後切換CSP到阻止模式。一旦CSP進入阻止模式,該網站就受到任何無法識別的代碼的保護。SeaSP社群版可以幫助您保護網站安全。
僅適用於1.4版本的升級注意事項
安裝此版本時,您需要重建您的CSP
用法
安裝後,在您的網站上實施了一個嚴格的非阻塞報告CSP。訪問您網站的每個頁面以收集CSP違規行為。
訪問外掛的當前違規頁面以審查違反CSP的指令的域名。
仔細查看每個域名,檢查常見域名的拼寫錯誤,例如adobee.com而不是adobe.com,這是黑客將內容注入您的網站的常見方法。
如果您相信該域名屬於您的網站並且應該提供所述的文件類型,請單擊切換以批准該域名,以將其包括在CSP中。
如果您想允許該域名的子域名能夠提供該類型的內容,請單擊管理子域名按鈕以查看子域名。
完成此過程後,您仍可能看到關於內嵌腳本、內嵌樣式、BLOB或數據的CSP違規行為。
要在社群版中允許這些類型的內容,您必須導航到指令設置頁面,找到有問題的指令,然後切換適當的選項。
出於方便,每個選項都有一個工具提示,解釋它允許在您的CSP中使用的內容。
操作指南
關於操作指南的視頻可以在YouTube上找到這裡。
貢獻
歡迎使用請求。對於重大更改,請先打開一個問題,以討論您想要進行的更改。
此專案已在單個和多站點實例上測試了WordPress至5.8版本。
該專案可以在github上找到。
該專案由Blue Triangle贊助。
第三方庫
我們使用Bootstrap作為我們外掛的UI,以使介面潔淨簡單。
Bootstraps許可證可以在這裡找到
我們使用bootstrap toggle,因為簡單的勾選框可能會令人困惑,我們希望我們的CSP管理員UI感覺簡單。此代碼由Min Hur為紐約時報開發,根據MIT許可證進行了許可
許可證
外掛標籤
開發者團隊
原文外掛簡介
SeaSP Community Edition is an automated Content Security Policy Manager. SeaSP allows you to create, configure, manage, and deploy a Content Security Policy for your site.
The WordPress SeaSP Community Edition plugin catalogs the domains that appear on your site. Categorize and filter out unwanted domains. Add a layer of WordPress security site from Magecart and other cross-site scripting attacks to keep your WordPress site safe.
SeaSP installs a strict non-blocking CSP to collect violation data and provide a violation report. Violation data flows into the WordPress database as a PHP option within the plugin options schema. Violations can be approved by domains and categorized by directives (CSS, fonts, images, JS, etc.). You can also approve base domains and subdomains. The SeaSP UI helps users by explaining what each directive does, and how to use them to create a CSP.
After configuring the domain and directive settings switch the CSP to blocking mode. Once the CSP goes into blocking mode, the site’s protected from any unrecognized code. SeaSP Community Edition helps secure your site.
Upgrade Notice for 1.4 only
When you install this version you will need to rebuild your CSP
Usage
Once installed, a strict non-blocking report-only CSP is implemented on your site. Visit each page of your site to collect CSP violations.
Visit the Current Violations page of the plugin to review domains that have violated a directive in the CSP.
Review each of the domains carefully and check for misspellings of common domains like adobee.com instead of adobe.com as this is a common way hackers inject content into your site.
If you feel confident that the domain belongs on your site and it should be serving the file type stated, click the toggle to approve the domain to include it in the CSP.
If you want to allow subdomains of that domain to be able to serve that type of content, click the Manage subdomains button to view the subdomains.
After this process, you might still see CSP violations regarding inline scripts, inline styles, blobs, or data.
To allow these this type of content in the community version you must navigate to the Directive Settings page, find the offending directive, then toggle the appropriate option.
For convenience, each option has a tooltip explaining what it allows in your CSP.
Walk Through
A walk through video can be found on YouTube here.
Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
This project has been tested on WordPress up to version 5.8 on both single and multi-site instances.
The project can be found on github.
This project is sponsored by Blue Triangle.
Third Party Libraries
We use Bootstrap for the UI of our plugin to make the interface clean and simple.
Bootstraps license can be found here
We use bootstrap toggle because simple check boxes can be confusing and we wanted our CSP mangers UI to feel easy. This code was developed for The New York Times by Min Hur and is licensed under MIT
License
GNU
Opt In usage data collection
As of version 1.5 users will be able to opt-in for data collection to help us determine how many people are using our plugin and what features we should be working on in future version. This can be managed in the Usage Data Settings page. We collect and send the following data:
1. wordpress version
2. wordpress debug mode
3. wordpress multisite
4. the base url that the plugin is on ex; www.bluetriangle.com
This data is only accessible to the Blue Triangle organization and will be used to determine our user base and feature planning.
