How to whitelist sources of the approved content

Important: CSP options (settings) in this articles are no longer available from v10.2.2 and onward. Please see ShieldPRO 10.2 Upgrade Guide here.

Due to the complexity of CSP and the superficial nature of our CSP implementation, we've decided to remove those options. We explore the issue in full detail in our blog post on this topic here.

You can add custom CSP rules to your site only.

Note: This option/feature is no longer applicable to the latest version of the Shield Security plugin and is here for reference purposes only.

How to whitelist sources of the approved content

"Permitted Hosts and Domains" option is a part of the Content Security Policy HTTP Header. 

By whitelisting sources of approved content, you can prevent the browser from loading malicious assets to your site.

To whitelist, you just need to add the line(s) into "Permitted Hosts and Domains" option field. (See the screenshots below)

The line you add will configure your site to only load scripts, images, style sheets etc. from that host/domain.

For example, if you want browser to load content from your domain only, and your site URL is, add the line "" (you should remove prefix http://. Otherwise, it will be removed automatically)

On the other hand, if your site URL is, add line with the "https://" prefix. (You can force only HTTPS for a given domain by prefixing it with "https://")

Note: If you allow HTTP it automatically allows HTTPS, but not vice versa. 

Important: If you are unsure what domain/host to whitelist, use . This will be your valid source and the content will be loaded from everywhere, without restriction. 

How to add custom CSP rules

You can use 'Manual Rules' option for this. For example, media files, media-src: 

Feel free to provide as many custom Content Security Policy rules as you need to.

Important: There is no validation that your rules are structured correctly, nor whether they’re appropriate for your particular site and circumstances. Great care should be taken when providing your custom rules and advice should be sought from your web developer on what is most appropriate.