Content Security Policy and how to set it up in WordPress.


Content Security PolicyWhat is Content Security Policy (CSP)?

A Content Security Policy (CSP) is a set of rules that tells the browser whether or not Javascript, Iframes, and other elements contained in a page can be executed or embedded for security reasons.
The browser follows the CSP and executes the code on the page, so if there are illegal Javascripts or Iframes embedded in the page, it will block them according to the CSP. This may help to reduce the damage to the user if the site is tampered with.

The following items can be set by CSP.

The domain from which JAVASCRIPT and CSS are loaded and allowed to be loaded.
The domain from which frames (Iframes) are allowed to be loaded.
The domain from which images, videos, and font files are allowed to be loaded and the domains from which they are allowed to be loaded.

Do I need to set up a content security policy?

If set too strictly or misconfigured, content security policies can inhibit hacker activity as well as the loading of external advertisements and the execution of code on pages delivered via CDN, which can have a negative impact on site operation.
This technology is still new, so there is no need to rush into setting it up.

However, if you have a corporate site and want to prevent users from being redirected to execute malicious scripts due to cross-site scripting or hacker tampering, you may want to configure this setting.

How to set up a content security policy on your WordPress site

CSP can be configured with the Content Security Policy Manager plugin.

After installing the plugin, activate it and go to Settings > CSP Manager
and go to Settings > CSP Manager (CSP settings in the display section of the site) to activate it and configure each item.

Check the Enable checkbox for each item here, and enter the setting values in the text area below.

The setting items are as follows. The setting items must be enclosed in single quotation marks.

'self' → Allow only your domain
'none' → Allow none
'unsafe-inline' → Allow inline script execution
'unsafe-eval' → Allow script eval functions

If there is more than one, use line breaks to line up the above settings.

The meaning of each item is explained in detail below.
Content Security Policy (CSP) Directive Summary

Free WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].