Privacy Policy

Like so many other websites, websec also use cookies.
But not for data collection, the cookies here are used for caching, preferences, access, and sesson management.
And this only applies if you're logged in!

Customize Consent Preferences

The cookies on this site are connected to the webmail gui.
The cookies are not used for tracking, as I refuse to use any kind of tracking technology on this site.
Websec is not ment for user tracking, advertisement, content measurement, data collection, or anything similar to this.

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Cookie
    cookieyes-consent
  • Duration
    1 year
  • Description

    CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about the site visitors.

  • Cookie
    _lscache_vary
  • Duration
    2days
  • Description

    This cookie belongs to LiteSpeed Cache.
    The "_lscache_vary" cookie improves website performance by caching content for faster loading. It ensures that logged-in users see real-time updates, while non-logged-in users get faster access to pre-generated content.

These cookies are only connected to the webmail.

  • Cookie
    oc_sessionPassphrase
  • Duration
    session
  • Description

    This cookie is connected to the webmail
    The purpose for this cookie is session management and authentication.
    It helps maintain user sessions and ensures secure access to the webmail by storing a passphrase or token related to the session.

  • Cookie
    __Host-nc_sameSiteCookielax
  • Duration
    1 year 1 month 4 days
  • Description

    This cookie is connected to the webmail and plays a vital role in the security of the webmail.
    it helps protect user accounts and data by preventing unauthorized cross-site request forgery (CSRF) attacks, thereby enhancing the overall security and integrity of the webmail.

  • Cookie
    __Host-nc_sameSiteCookiestrict
  • Duration
    1 year 1 month 4 days
  • Description

    This cookie is connected and similar to "__Host-nc_sameSiteCookielax," but slightly different.
    The cookie enforces the same-site cookie attribute strictly, only allowing it to be sent with top-level navigation requests, this cookie further protect user accounts and data from unauthorized cross-site requests, providing an additional layer of security.

  • Cookie
    oc< ID >
  • Duration
    session
  • Description

    This cookie is a session cookie and is based on the users webbrowser. The "oc<id>" are temporary cookies that are created and stored on the client-side (usually within the user's browser) during a browsing session.
    Overall session cookies like "oc<id>" are crucial for maintaining a user's session state and enabling the server to manage and personalize the experience during a browsing session.

Skip to content

Content Security Policy!

CSP with auto generated nonce

So one of the most difficult things to master when hardening / adding security to a wordpress site is
to get a full content security policy (CSP) to work in wordpress with auto generated nonce.

There are countless articles about CSP and nonce for wordpress and other sites on the internet, but none, and I mean none go into detail on how to actually get it to work, and around 99% of the articles written about nonce and CSP does not work, just a waste of time to read them. And they don’t even have CSP with nonce active and enabled on their site that the article is written on…

It’s such as shame that there is so little information on the internet on how to actually get a fully working CSP with auto generated nonce to work on a site. And not to mention once you get it working on the front-end, it will break a lot of features on the admin portal. Like I had to add a lot more things to my CSP then I wanted because of how wordpress and the plugins for wordpress works.
Currently I still have “unsafe-inline” on my sites, but that is because I use wordpress.

But, it feels amazing to finally have a fully working CSP with auto generated nonce working on my domains. Feel free to take a look below 😀 mine actually works!

https://securityheaders.com/?q=websec.nu&hide=on&followRedirects=on
https://csp-evaluator.withgoogle.com/?csp=https://websec.nu
Tags: