@ahkg I found some kind of solution (see below). But now I'm wondering if this might cause problems for Cloudron? In the logs, it seems that the Cloudron server have trouble getting access to the wp-login.php, with the check that runs every 10 seconds: 2018-09-19T09:06:45.000Z [Wed Sep 19 09:06:45.296846 2018] [access_compat:error] [pid 207] [client 172.18.0.1:54684] AH01797: client denied by server configuration: /app/code/wp-login.php 2018-09-19T09:06:45.000Z 172.18.0.1 - - [19/Sep/2018:09:06:45 +0000] "GET /wp-login.php HTTP/1.1" 403 476 "-" "Mozilla" I tried to add the local ip 172.18.0.1 to the whitelist in htaccess, but this only resulted in wp-login.php being available to all IP-addresses. ErrorDocument 401 default ErrorDocument 403 default SetEnvIf X-Forwarded-For "^1\.1\.*\.*" AllowIP <Files wp-login.php> Order deny,allow Deny from all Allow from env=AllowIP </Files> # Block access to wp-admin. <Files wp-admin/> Order deny,allow Deny from all Allow from env=AllowIP </Files> # Allow access to wp-admin/admin-ajax.php <Files wp-admin/admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress

I have updated the ciphers now according to mozilla's config generator. The commit is https://git.cloudron.io/cloudron/box/commit/ddaa52163bf3844b36d6c29fdffb5db3e0b3f5d0 For the CSP settings, this indeed cannot properly be done on a platform level, as apps require differently strict settings there and have to provide this on their own, so this should ideally be fixed in each app upstream.