Google Analytics with HTTP Content Security Policy Header

20. February 2017 Note , ,

I am trying to setup HTTP security headers since a couple of days ago.

HTTP Security Headers for WordPress

Today, I was trying to setup the Content Security Policy for this blog.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Actually, if you want to setup it and protect users from XSS, you have to remove inline JavaScript from your site like following.

  • Extra code of the emoji
  • Google analytics code
  • JetPack stats

Removes Extra Code for Emoji

There is a plugin developed by Ryan Hellyer.

https://wordpress.org/plugins/disable-emojis/

Google Analytics Code

I developed a WordPress plugin which outputs the Google Analytics code as an external JavaScript file, because we need analytics and we can’t remove it.

https://github.com/miya0001/miya-analytics

If you activate this plugin, it outputs the Google Analytics code under the following URL.

https://takayukimiyauchi.jp/analytics/

It is on beta testing for now, but it looks working fine.

JetPack

JetPack’s Site Stats is outputting an inline JavaScript, so we have to deactivate it.

OK, all inline scripts could be deleted. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *