Secure your WordPress sites with the Content Security Policy HTTP Header

Content Security Policy HTTP header is a part of the Shield's HTTP Headers zone. It helps you to restrict the sources and types of content that may be loaded and processed by visitor browsers.

In essence it allows you to dictate which resources, files, etc. can be loaded/processed by the browser.

For example, can state that only Javascript files from the domain google.com may be executed. Or, only images loaded from your domain, are downloaded. You can be as granular or as accepting as you like.

Imagine your theme was hacked and a 3rd party JS script was embedded into your site. With the appropriate CSP in-place, you would block loading of the Javascript file on the visitor’s browser.

How to secure your WordPress sites with CSP header

To secure your site with CSP header in Shield, you'll need to manually add custom CSP rules to your site.

To do this, just enable CSP headers option first and then use 'Manual CSP Rules' option to add your custom rules:

Feel free to provide as many custom Content Security Policy rules as you need to. 

Also, if you use page cache, please disable it while you're configuring and testing your CSP rules and HTTP Security Headers in general. You'll need to test caching plugins and discover which ones honour HTTP headers set through WordPress. 

Please note that, if you do not provide any CSP rules, CSP headers setting will be turned off - these headers will not be active. 

Important: There is no validation that your rules are structured correctly, nor whether they’re appropriate for your particular site and circumstances. Great care should be taken when providing your custom rules and advice should be sought from your web developer on what is most appropriate.

To read more about HTTP Content Security Policy Headers, read the blog article here.

To learn how to configure HTTP Security Headers on WordPress, read this guide here.

Note: Apart from the option to manually add custom CSP rules explained above, there were other options in the older plugin releases too. But, due to the complexity of CSP and the superficial nature of our CSP implementation, we've decided to remove those certain CSP options as of the 10.2+ releases. We explore the issue in full detail in our blog post on this topic here.