
How do I generate a Content Security Policy using your plugin?
Login to shell for your site, change directory to your websites root folder, and run w …
This plugin generates the proper security HTTP response headers, attempts to generate a valid Content Security Policy, and sets browser permissions if configured.
Screenshots

Standard Header Settings

Content Security Policy Settings

Permissions Settings

Documentation

Import/Export Settings

Headers Set

FAQ
What is a Content Security Policy?
A Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
ChangeLog
5.2.03
- Requirements: WP Core: 6.0.9
- Next version will be incompatible with PHP 7.4
- Verify: WP Core 6.8 Compatability
- Verify: PHP 8.4 Compatibility
- Fix: Field Not Found in settings for Report to
- Fix: Removed ‘nothing’ for unsafe settings
- literally did nothing anyways, and wasn’t actually meant for that
- the keyword ‘none’ should be added to “Source” if it is needed
- Fix: “apply_child_override” warnings
- Add: PHP Upgrade Notice for any site under PHP 8.1
5.1.31
- Fix: Issue where menu would disappear on non-multisite
5.1.29
- Fix: Some undefined array keys when some settings not set
- Verify: WP Core 6.7 Compatibility
- Fix: Defaults for settings.
- Found headers were being applied after turning off setting that should not have been
- Clean Up: Versions older than 4
5.0.11
- Add:
sandbox
directive for Content Security Policy
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
- Fix: Application of CSP headers when there is no value set
- No longer sets the directive if nothing is configured for it.
- Fix: Some styling in the admin pages
- Remove: Deprecated CLI methods
- Update: JS Libraries for settings framework
- Verified: PHP 8.3 Compatibility
4.6.01
- Verified: WP Core 6.6 Compatibility
- Updated: settings fw: Fixed: PHP 8.x deprecated notices.
- Updated: Documentation
- Removed: references to implementation to avoid confusion
4.1.22
- Removed: CLI Generator
- Verified: WP Core 6.5 Compatibility
- Add: Apply CSP to REST API
- Please be aware, once this is switched on it will also be active for the admin area of the site.
- Hook:
wpsh_send_restapi_headers
4.0.01
- Verified: Core Version 6.4 compliant
- Remove:
navigate-to
directive for Content Security Policy
- Per: https://docs.w3cub.com/http/headers/content-security-policy/navigate-to no longer supported in any browser
- Add:
report-to
directive for Content Security Policy
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
- Please be aware, this directive currently does nothing in Firefox and Safari
- Updated: WordPress Defaults. Compliant ONLY with the following:
- Plugins: Gravity Forms
- Themes: Twenty Twenty, Twenty Twenty-One, Twenty Twenty-Two, Twenty Twenty-Three
- Updated: WordPress Core version requirements to 5.6.10