Security Header Generator

変更履歴

= 4.1.22
* Removed: CLI Generator
* Verified: WP Core 6.5 Compatibility
* Add: Apply CSP to REST API
* Please be aware, once this is switched on it will also be active for the admin area of the site.
* Hook: wpsh_send_restapi_headers

= 4.0.01
* Verified: Core Version 6.4 compliant
* Remove: navigate-to directive for Content Security Policy
* Per: https://docs.w3cub.com/http/headers/content-security-policy/navigate-to no longer supported in any browser
* Add: report-to directive for Content Security Policy
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
* Please be aware, this directive currently does nothing in Firefox and Safari
* Updated: WordPress Defaults. Compliant ONLY with the following:
* Plugins: Gravity Forms
* Themes: Twenty Twenty, Twenty Twenty-One, Twenty Twenty-Two, Twenty Twenty-Three
* Updated: WordPress Core version requirements to 5.6.10

3.9.77

• Fix: Autofill on Basic Auth fields
• Add: Access-Control-Allow-Methods header
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
  • Default: GET, POST, HEAD
    • These are WordPress default allowable methods for the REST API
  • Hook: wpsh_acam_header
• Add: Access-Control-Allow-Credentials
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
  • Default: true
  • Hook: wpsh_acac_header
• Updated: Documentation

3.9.12

• Update: Documentation
• Fix: Autoloader not including the settings
  • NOTE I had to manually include them, but not anymore 🙂
• Add: Directives to the COEP
  • require-corp and unsafe-none
  • NOTE require-corp will require you to configure the Cross-Origin-Resource-Policy header
• Remove older versions

3.9.01

• Fix: Deprecation notice in CLI
• Fix: Deprecated get_page_by_title
• Optimize: Class loading with Composers autoloader and it’s optimizations
• Updated: JS libraries (codemirror, leaflet, etc).
• Improved: Some JS and CSS coding.

3.8.14

• Fix: PHP 8.1 deprecation notice on rtrim
• Add: Cross-Origin-Resource-Policy header
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy
  • Default: same-origin
  • Hook: wpsh_corp_header

3.8.01

• Fix: CSP Headers being set in admin when not configured to do so
  • change in WP core send_headers or admin_init actions between Core 6.2 and Core 6.2.2
• Add: More concise boolean checks
• Add: Option for applying Content Security Policy headers to admin separately from primary security headers application setting
• Add: Option for applying Feature Policy headers to admin separately from primary security headers application setting
• Fix: Default CSP Script and Styles headers WP Defaults
• Remove: Implementation page in settings
  • No longer a need for this
• Update: Documentation for the above

3.7.23

• Remove: document-domain from the Permissions-Policy header
  • no longer supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain
• Remove: execution-while-not-rendered from the Permissions-Policy header
  • no longer supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/execution-while-not-rendered
• Remove: execution-while-out-of-viewport from the Permissions-Policy header
  • no longer supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/execution-while-out-of-viewport
• Remove: navigation-override from the Permissions-Policy header
  • completely removed
• Remove: gamepad from the Permissions-Policy header
  • no longer supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad
• Remove: The FLoC Permission Policy.
  • completely removed
• Add: hid to the Permissions-Policy Header
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid
• Add: identity-credentials-get to the Permissions-Policy Header
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get
• Add: idle-detection to the Permissions-Policy Header
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection
• Add publickey-credentials-create to the Permissions-Policy Header
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create
• Add screen-wake-lock to the Permissions-Policy Header
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock
• Add serial to the Permissions-Policy Header
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial
• Add web-share to the Permissions-Policy Header
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share

3.6.79

• Remove: prefetch-src from the Content-Security-Policy
  • no longer supported: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src

3.6.46

• Fix: Implementation Page
  • now accurately reflects the confguration set

3.6.44

• Verify: Up to 6.3 Compliant
• Fix: PHP 8.2 deprecation notices in field Framework

3.6.33

• Test: Up to 6.2 compliant

3.6.22

• Add: setting for allowing an access control origin
  • This should help out with CORS issues, especially from google

3.6.11

• Fix: PHP 8 warning messages
  • Warning: Undefined array key "Permissions-Policy"
• Fix: PHP 8 fatal error on special circumstance
  • KCP_CSPGEN_Headers::kp_get_generated_csp(): Return value must be of type array, string returned

3.6.02

• Test: Up to 6.1.2 compliant
• Fixed: Directory traversal in plugin
• Fixed: Added check/uncheck all option for checkbox field.
• Updated: Google Web Fonts array added new fonts.
• Updated: JS libraries (codemirror, leaflet, etc).
• Improved: Some JS and CSS coding.

3.5.17

• Test: Up to 6.1.1 compliant
• Remove: Server identifiers removers.
• Rework: Broke out the front-end and admin headers to separate methods
• Fix: Check for duplicate headers, or already set headers

3.4.28

• Fix: Typo in versioning

3.4.27

• Test: Up to 6.0.2 compliant
• Tech: force PHP 7.4 minimum
• Remove: Upgrader hook
  • this is no longer needed
• Remove: X-XSS-Protection Header
  • was depracated in version 2.2.13. Only compatible browsers as of 7/14/2022 are Edge and and Safari
    Use CSP to mitigate XSS

3.3.01

• Test: Up to 6.0 compliant
• Test: Up to PHP 8.1 Compliant
• New: Plugin Icon =)
• Updated: Settings Field Framework
  • Added: Number field “min”, “max”, “step” options.
  • Updated: Google Web Fonts array added new fonts.
  • Updated: JS libraries (codemirror, leaflet, etc).
  • Improved: Group field “custom title and prefix” option (samples added).
  • Improved: Some JS and CSS coding.

3.2.37

• Fix: Eval and Inline for empty directives

3.2.34

• Fix: Forgot a debugging var_dump… SMH

3.2.33

• Fix: Include blank directives:
  • Even if the directives are blank for the CSP, they should still be included with the ‘self’ flag
• Test: Up to 5.9.2 compliant
• Fix: CLI performance.
  • Was timing out, then skipping some directives on larger sites.

3.1.02

• Fix: Default WP CSP headers not being set
• Fix: Implementation now includes Default WP
• Feature: Implement debug check to queue unminified style and scripts
• Fix: Implementation from the CLI pulls

3.0.77

• Update: Settings framework

3.0.68

• Fix: OR to ||
  • forgot about it in the main plugin file
• Update: translatable resources
  • New: /languages/security-header-generator.pot

3.0.10

• Fix: Array issue
• Fix: Strict typing issue

3.0.09

• Feature: Implement post update hook to try to properly migrate existing settings to the new format
• Update: Change exportable/importable settings names, more legible
  • While I will do my best to automate this, please note it may not be perfect… I am only human after all 😉
  • If you export your settings before updating, you can import them again after updating and the below will be
    taken care of for you.
  • Just in case it does not work 100%, please export your settings before updating to this version and
    perform a search and replace for the string to remove it:
    • Search: “kp_cspgen_”
    • Replace: null|nothing|empty
  • NOTE: If you do not export your settings I will not guarantee that you will not have to reconfigure the plugin.
    Although… I did take a backup 😉 You will need to hop into your database to grab it though, it will be in your
    options table, and it is called: wpsh_TEMP_settings. I will have this automatically removed in a future update
• Add: Option to remove server advertising.
• Add: Expect-CT header
  • The Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements,
    to prevent the use of misissued certificates for that site from going unnoticed.
  • Doc: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
  • Hook: wpsh_expectct_header
• Updated: Feature Policies.
  • Removed the following: battery, layout-animations, legacy-image-formats, oversized-images, screen-wake-lock,
    unoptimized-images, unsized-media, web-share
  • The above no longer have any browser support.
  • Added: Descriptive descriptions for each directive
• Updated: Content Security Policy
  • Added: the following fetch directives:
    • child-src, manifest-src, object-src, prefetch-src, script-src-elem,
      script-src-attr, style-src-elem, style-src-attr, worker-src, navigate-to
  • Added: Unsafe Inline and Unsafe Eval settings on each CSP directive
  • Added: Descriptive descriptions for each directive
  • Reworked: Settings for the entire section, which of course caused me to rewrite the way they are implemented.