Want to know why you should be offering content security policies (CPSs) as part of your WordPress maintenance package? Or how you can discuss CSPs with clients? The second part of our interview with Miriam Schwab, founder and CEO of WordPress firm Strattic, covers these issues and more.
You can read the first part of the interview about content securities polices here.
What’s the best way for a WordPress developer to talk about CPSs with their clients and how can developers convince clients that their site needs a CSP?
MS: If a web developer is working on a site, in particular one that involves commerce, then I think that that would be an easy conversation. Because that site could theoretically be hacked despite all of the efforts being made and then that would literally impact the bottom line. Whereas if it has the CSP in place it would continue to protect the users. I think with other clients it might be difficult to talk to them about it because the thing with security is that until someone experiences the opposite of security they don’t think it’s important. Kind of like if your house hasn’t been broken into you’re not going to think you need bars on the windows, and then when your house was broken into then you start to consider having bars on your windows. It’s the same with the world of the Internet. Until you’ve felt the pain you hesitate to implement protections that are necessary. You’ll be like “well everything’s fine”. So one thing that developers can do is come in with case studies, and another thing they can do is actually just make it part of what they offer their client. Meaning, just like you know, we have mobile optimization as pretty much a basic part of the packages these days and other types of optimization, even but they adding SSL, that’s a no-brainer, everyone must be adding SSL, you don’t actually even talk to the client about it, you just do it. Maybe CSP is something that you just do as well. The developer needs to be aware that the client may come back to them after if they try to add a content type that is not supported and say “this need to be updated”. But if the developer is offering some kind of maintenance plan, which many do, have some kind of residual income, then that could potentially cover that tweaking the CSP for the user.
So does a CSP necessitate an ongoing relationship between developer and client or and can they still be included as part of a one-off project?
MS: So you could make it part of a one of project, but if you have a scenario where a content type isn’t supported, then the client will get frustrated. In my web development agency one of the reasons we offered the maintenance package was to lower frustration, because clients would do the one off project take the site and then they’d be like “we’re responsible for updating, no problem” and they wouldn’t update and then they’d get hacked and they would blame us. So we’re like “okay we don’t want any more of that”. So yeah it’s hard to make it once off. There’s a reason that CSP has such a low implementation rate. I think something like 2% of the top million sites have CSPs. And at WordCamp Europe I showed that even the White House doesn’t have a content security policy, which is crazy. And banks don’t have. It’s amazing you can you can run easily run a test on a lot of sites and see if they have it. In my opinion it should be considered possibly basic.
Where do you see CSPs fitting in with wider issues of security in the WordPress space? For example is it worth developers implementing a CSP if their clients are all using the password “password one two three”?
MS: Especially. If security is poor then they’re going to get hacked. I mean that’s pretty much given and at the very least this will prevent malicious scripts from being loaded in the browser for the users. So I would say that the weaker the security, the more important it is its implement.
Do you have some recommendations on tools or plugins to make you a CSP journey a little bit easier?
MS: So in my talk which hopefully can be linked you or something, I do I lift tools and we wrote out a post which also lists all them and links all of them on our site. So securityheaders.io is a great first step. It’s a really easy way to plug a URL in there and get an idea of the security state of a particular website. So that would be the first step. And it tells you what you have in place and where the problems are, so that’s a great weeding tool. There’s another one called Report URI and what it does is it is like a wizard type of tool to enable you to create your content security policy. Because that’s a bit tricky, getting the format right and making sure that you covered everything you needed to cover. So it’s like checkboxes and you fill it in like “I only want to allow images to load from this domain” and you get your content security policy. It’s really amazing. There’s a Windows only tool, unfortunately, it’s not for Mac. It’s called Fiddler. And that is the best tool and there needs to be more of them, particularly a Mac supported one. They have a Mac one but it’s not fully fleshed out. It will analyze a page and tell you what types of content are on there and you need to be authorized by the by the content security policy. That’s the hardest thing that’s what I’m talking about with us easily blocking ourselves. It gives you a list of the resources that you need to authorize in the content security policy so your page loads properly. Fonts by the way are a tricky one. Users can easily block their own fonts if they’re moving from let’s say Google Fonts or a third-party. I think those are good ones to start with, but I have that list in my talk and there’s some really, really great tools there. Oh and one other thing. You can create the CSP on the server level in Engine X or Apache and send it to the browser, but if maybe the client is going to be hosting it who knows where, they don’t have access to the server, they don’t want to deal with it that way, you can actually put CSPs in the meta code of the site. There’s a few that aren’t supported there, but they’re used less so it’s not such a big deal. And that’s a really easy way to get started with implementing it and then it’s also easy to modify it as needed. And theoretically if you have savvy enough clients and they can also edit the meta data of the site on that level and update it as necessary. So those are some hopefully useful things.
What would you like to see happen to encourage greater use of CSPs on WordPress?
MS: So I think the conversation just needs to get started. There are some plugins that have been created for WordPress, but they seem to be problematic I didn’t test that. I would just go the more straightforward route. But what I saw after my talk was people who are very savvy developers came up to me after the talk to say that they had never heard of content security policies. It totally makes sense. I hadn’t heard of them. Not that I’m not savvy, but I’ve been in the industry for a while and I do care about security and I had never heard about content security policies until maybe a year ago when our CTO joins Strattic and he comes from the world of cybersecurity. He’s taught me a lot, he taught me about having security policies. So there needs to be a discussion around it, maybe more talks at WordCamps about it, so that more people can be exposed to the existence of CSPs, and also content security headers in general. In the WordPress world we’re very focused on the typical types of hacks and it totally makes sense because that’s what generally is happening, SQL injection, cross-site scripting. But there is that extra layer that we can all add for ourselves and our users just a matter of awareness. I think that’s probably what it is so by you guys even talking about it I think that’s a great start.