CSP / DSGVO / WordPress

a true pain in the ass Part II

Getting WP installation in line with #GDPR / #DSGVO is a real pain if you are not willing to accept a B or even a B+ on your ratings.

Why are we doing this?
somehow forced by #GDPR / #DSGVO Art5.1.f Art25 Art32.2

Setting up Content-Security-Policy as we should do to get along with #GDPR / #DSGVO will break your WP-Installation as far as what we seen here so far. The List of not working stuff, ist long, and yes I can tell you really long, from non workin PlugIns over corrupted Themes to a not working default Editor. Sumed Up … a pain in the ass

So what will it gonna be?
After not feeling the vibe for trial and error on this topic we call it a day with an unsafe impelmented CSP but a full working WP installation.


Quick Tip

WordPress / #GDPR / #DSGVO

?? a pain in the ass if not self hosted??

What we need to check and resolve to get it done:

  • HTTPS as a default (DSGVO Art25)
  • HTTP Strict Transport Security (HSTS)
  • Content Security Policy (CSP) ((DSGVO Art32.2)
    • !! this may/will break some of your plugins or everything !!
  • Referrer Policy (DSGVO Art5.1.c & 25 & 32.2)
  • Subresource Integrity (SRI) (DSGVO Art5.1.f & 25 & 32.2)
  • HTTP-Header (DSGVO Art5.1.c & Art5.1.f 25 & 32.1-2)
    • X-Content-Type Options
    • X-Frame Options
    • X-XSS-Protection
  • Cookies yes/no (DSGVO Art5.1.a c e & Art21 & 22 & 23)
  • First Party Request
  • Third Party Request (DSGVO Art5.1.b-c Art25)

We’ll keep u posted what comes next! oh yes there is still some more …