Skip to content

Instantly share code, notes, and snippets.

@szepeviktor

szepeviktor/apache.conf

Created May 1, 2026 22:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save szepeviktor/d48784423552e4132d2892861a45b525 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save szepeviktor/d48784423552e4132d2892861a45b525 to your computer and use it in GitHub Desktop.
Download ZIP
WordPress deserves no CSP policy
Raw
apache.conf
# CSP policy
<LocationMatch "^/olm/wp-admin/">
Header always set Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data: blob: https://ps.w.org https://secure.gravatar.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; form-action 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; report-uri /csp-report.php"
</LocationMatch>
Raw
csp-report.php
<?php
declare(strict_types=1);
$logFile = dirname(__DIR__) . '/csp-reports.log';
$maxBytes = 64 * 1024;
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
http_response_code(405);
exit;
}
$raw = file_get_contents('php://input', false, null, 0, $maxBytes + 1);
if ($raw === false || $raw === '') {
http_response_code(400);
exit;
}
if (strlen($raw) > $maxBytes) {
http_response_code(413);
exit;
}
$data = json_decode($raw, true);
if (!is_array($data)) {
http_response_code(400);
exit;
}
$entry = [
'time' => gmdate('c'),
'ip' => $_SERVER['REMOTE_ADDR'] ?? null,
'user_agent' => $_SERVER['HTTP_USER_AGENT'] ?? null,
'report' => $data,
];
$line = json_encode($entry, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE) . PHP_EOL;
file_put_contents($logFile, $line, FILE_APPEND | LOCK_EX);
http_response_code(204);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment