Content Security Policy

webpagetest dot org says my Wordpress Site has “high severity security” problem with “Content Security Policy”:

“A computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context”

Anybody knows how I can fix this please? :blush::pray:

CSP is a is a feature that tells the browser to only load content from specific domains. This means that with CSP enabled, if you ever install a plugin that tried to load assets from a different domain it would refuse to load those assets until you went through the extra trouble of updating your policy. There are other things you can do with CSP too, if you look it up you can read all about it, but as you can see it is something that needs to specially configured and adjusted each time you install a new plugin, and updates could potentially break your site too. For these reasons I typically do not enable it. By not enabling it you’re not introducing any vulnerabilities, it just makes it extremely difficult if not impossible for hackers to exploit certain classes of vulnerabilities when you do have CSP configured. There are plugins such as https://wordpress.org/plugins/wp-content-security-policy that will help you configure a CSP policy. Last time I configured a CSP policy I did so manually, so I can’t say how well that plugin actually works, but it looks like a good plugin.

1 Like

Fantastic reply! Thank you