wordpress and CSP

Question

Did anyone stumble upon trying to secure headers (CSP) in wordpress with several plugins spitting js in the dom?

I am trying to enhance the headers with CSP and remove the 'unsafe-inline' in the script-src directive.

Some static js I was able to load them with hashes, but when comes to dynamic, it becomes cumbersome. I overwrote some of the functions that spit js to contain a nonce and added the nonce in the CSP, but every time someone adds a plugin that behaves like this or updates a modified plugin, i will have to redo it thus this way is not very robust.

Does anybody have some ideas other than allowing the inline and never update plugins?

Best

Answer 1

Only you need to create one file .htaccess into wp-admin and set

<IfModule mod_headers.c> Header unset Content-Security-Policy </IfModule>

Answer 2

Using .htaccess is a more robust way of using CSP with wordpress. Just add the code below in your .htaccess file. Some plugins still could break so make sure to add what plugin uses below like googleapis etc. By doing this you don't have to worry for any plugin updates.

<IfModule mod_headers.c>
  Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: 
  *.gravatar.com;"
</IfModule>

But if you use that on frontend that will break the wordpress backend so to fix it just add this code below to wp-admin/.htaccess.

<IfModule mod_headers.c>
  Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: http: 
  https: *.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 
  'self' 'unsafe-inline' http: https: fonts.googleapis.com; font-src 'self' 
  data: http: 
  https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>

Reference:

Content Security Policy