SecurityHigh

Content Security Policy (CSP) missing on WordPress

No Content-Security-Policy is defined on your site. The browser is therefore allowed to load scripts from any source.

Why it matters

Without CSP, a successful XSS injection can execute any JavaScript in the context of your site: session theft, malicious redirect, keylogger.

How to fix

  1. 1

    Start in report-only mode (non-blocking)

    apache
    <IfModule mod_headers.c>
  Header always set Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:"
</IfModule>
  2. 2

    CSP adapted to WordPress (with page builders)

    apache
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self'; frame-ancestors 'self';"
  3. 3

    Note on WordPress and CSP

    WordPress uses unsafe-inline extensively for inline styles and scripts. Start with a permissive CSP and tighten it progressively by observing violations in the browser console.

Related articles

SecurityMissing X-Frame-Options headerSecurityMissing X-Content-Type-Options headerSecurityMissing HSTS header on your WordPress site

Ready to fix this issue on your site?

Audit my site for free →