JTA Intranet

SSL Scans

• Qualys SSL Labs

Security Header Scans

• SecurityHeaders.com
• Mozilla Observatory

CSP Scans

• Csper Policy Evaluator
  • PROCESS: Using the Content Security Policy (CSP) Generator (Chrome Extention) in MS Edge
    • START: Click on the CSPG Extension icon to start the process
    • Make sure it is enabled
    • COLLECT: Move around the ENTIRE site
    • INLINE: Review
    • DEPLOY: Copy the generated CSP
    • For default-src
      • add https:
    • For img-src
      • add: data:
    • For default-src
      • add: https:
      • add: ‘unsafe-inline’
        • Not having these breaks the WordPress “Site Health” page
        • Considered unsafe practice
    • For script-src
      • add: ‘self’ ‘unsafe-inline’ ‘unsafe-eval’
        • Not having these breaks the WordPress “Site Health” page
        • Considered unsafe practice
      • add https:
    • For style-src
      • add: ‘unsafe-inline’
      • add https:
    • For report-uri
      • remove: report-uri https://667f180dd528e3ceb6b0e57f.endpoint.csper.io/?v=0;
      • OR remove the entire report-uri
    • For worker-src
      • add: blob:

CSP Generators

• Report URI: Generate your Content Security Policy (report-uri.com)
• ValidBot » Content Security Policy Generator – CSP Wizard
• Free Content Security Policy Generator (csphero.com)
• Automatically Generating Content Security Policy (csper.io)

Other

• SRI Hash Generator

Current Security Headers

• As tested on jta-intranet.havashealth.com (wpengine.com)

Action	Name	Value
Set	X-Frame-Options	“sameorigin”
Set	X-Content-Type-Options	“nosniff”
Set	Content-Security-Policy	“base-uri ‘self’; connect-src ‘self’; default-src ‘self’; font-src ‘self’ data: https://fonts.gstatic.com; frame-src ‘self’; img-src ‘self’ data: https://secure.gravatar.com; manifest-src ‘self’; media-src ‘self’; object-src ‘none’; report-uri https://667eec440dfa2ed26f487c04.endpoint.csper.io/?v=1; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; style-src ‘self’ ‘unsafe-inline’ https://fonts.googleapis.com; worker-src blob:;”
Set	Strict-Transport-Security	“max-age=31536000; includeSubDomains; preload”
Set	X-XSS-Protection	“1; mode=block”
Set	Expect-CT	“max-age=7776000, enforce”
Set	Referrer-Policy	“no-referrer-when-downgrade, strict-origin-when-cross-origin”
Set	Permissions-Policy	“geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()”
Set	Cache-Control	“public max-age=604800”