No unsafe-inline
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls like the same-origin policy. Looking at National Vulnerability Database run by US NIST, more than 1100 (November 2025) vulnerabilities are reported as XSS for WordPress’ plugins and themes. Keeping your site up-to-date with the latest versions of plugins and themes is the first line of defense to ensure your site’s security. The second thing to do, is to deploy a strict Content Security Policy. The main problem The main problem with Content Security Policies implemented in the real world is that they are too weak to really protect your site and that many of them can be trivially bypassed by an attacker. The proposed solution Google researchers recommend, instead of whole host whitelisting, to activate individual scripts via a CSP nonces approach. In addition, in order to facilitate the adoption of nonce-based CSP, they proposed the ’strict-dynamic’ keyword. The problem(s) with CSP in WordPress Manual creation of a policy Usually, a WordPress project is a mix of code written by different authors who contributed to the Core and or wrote plugins and themes. If it is possible to whitelist every external script loaded from a , the real truth is that in a WordPress project you can have dozens of those scripts included with your plugins and calculate a cryptographic hash for each of them to be included in your CSP header can be a frustrating job. However, there are many browser extensions and WordPress’ plugins that can help you in this job. Inline scripts WordPress core, and plugins, use inline scripts. For these scripts, you can compute hashes to be inserted manually into your policy, only if these scripts do not change at any page load. Unfortunately, this is not very common, as it is frequent to include variable values calculated server side in inline scripts. And it means that your inline scripts change too frequently to manually add their hashes to your policy. This commonly happens when scripts are “localized”. WordPress has no API to implement nonces for CSP Even if it is easy to generate a nonce for each page view, this nonce has to be inserted in every script tag used to embed inline scripts in your page as doWhatever(); and in your script-src directive: script-src 'nonce-rAnd0m'; And, of course, a nonce must be unique for each HTTP response. Unsafe hashes / Inline styles Sometimes, HTML elements as images or buttons use HTML Event Attributes (onclick, onsubmit…) to let events trigger actions in a browser. You cannot use hashes or nonces for script included in event attributes and, adopting a strict CSP, requires refactoring those patterns into safer alternatives or to use ‘unsafe-hashes’. You got a similar problem when inline styles are used in HTML tags: This is a heading This is a paragraph. CSP Level 2 browsers may be ok with just putting the hash in your style-src directive. However, to allow hashes in the style attribute on inline CSS on browsers that support CSP Level 3, you may get an error like this Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA='". Either the 'unsafe-inline' keyword, a hash ('sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA='), or a nonce ('nonce-...') is required to enable inline execution. To allow inline styles you need to use ‘unsafe-hashes’ in your style-src directive (that is, in facts, unsafe). ^ This plugin approach This plugin affords those problems in this way: During a capture phase, it detects the scripts, styles and other embedded content present in the pages of your site and stores them in the database. Then you have to whitelist these contents from plugin admin. The plugin uses machine learning to cluster inline scripts trying to aggregate scripts generated by the same server side (PHP) code. So, you can authorize one script example to authorize all scripts that the classifier predicts to label as whitelisted clusters. You can choose to use hashes to authorize external scripts (and the plugin will allow you to include Subresource Integrity in your and ) You can use hashes or nonces to authorize inline scripts. You can ask the plugin to refactor your page to not use event attributes (converted in a inline script) and inline styles (converted in an internal CSS). You can set one or more violations’ report endpoints. The plugin supports multisite installations and has (too) many options documented in inline help. Creating a Content Security Policy After plugin activation, go to Settings menu and search for CSP Settings submenu. The steps you are supposed to do are the following. From the Tools tab, activate the capture of the tags and use your site by visiting all the pages or having your users visit them for a long time long period based on the use of your site (hours or days). From the Tools tab, perform the data clustering in the database (it can use many server resources). Go to the Base rules tab and include in the CSP directives the desired values (help you with the table at the bottom of the page). Go to the external scripts tab, inline scripts tab and scripts invoked by event handlers tab and authorize the execution of all the legitimate scripts present on the pages of your site. Leaving the tag capture active, activate the policy test (at this stage the plugin will generate some violations of the temporary policy used to record additional values to be included in the directives of your “content security policy”). After visiting again your site pages, disable the capture of the tags and repeat the previous steps 2, 3 and 4. Enable site protection. N.B. When you update plugins or themes, if something doesn’t work properly on your site pages, temporarily deactivate the protection and repeat steps 1 to 7. Plugin hooks Filters nunil_output_csp_headers_header_csp nunil_output_csp_headers_header_csp is available since version 1.2.3 and can be used to modify the Content-Security-Policy header before it is sent to browser no_unsafe_inline_not_sri_sources no_unsafe_inline_not_sri_sources can be used to modify the list of external resources that do not support SRI (Subresource Integrity) no_unsafe_inline_final_output no_unsafe_inline_final_output is an internal filter used to manipulate the output of the WordPress process just before the output is sent to the browser. no_unsafe_inline_meta_injector no_unsafe_inline_meta_injector is an internal filter hook used to inject meta http-equiv=”Content-Security-Policy” if variable is set Actions nunil_upgrade Functions hooked on nunil_upgrade will run when the plugin is upgraded nunil_output_csp_headers Functions hooked to nunil_output_csp_headers will run when the plugin output the CSP HTTP response header Code and libraries This version of the plugin uses: * to parse HTML: * ivopetkov/HTML5DOMDocument on PHP 2.13.09 * \Dom\HTMLDocument: The new ext-dom features with HTML5 support on PHP>8.4 * RubixML for machine learning from version 1.1.0 – PHP-ML was used in versions 1.0.x; * opctim/php-nilsimsa to calculate and compare Nilsimsa digests. The log functions have been taken from * perfectyorg/perfecty-push-wp, something you should really try if you want to implement web Push notifications in your site. The complete list of dependencies used in this plugin can be seen in dependency graph on GitHub. Contributions, Issues, Bugs Plugin code is hosted on a public repository on GitHub. Reach me over there to help and suggest.
Top keywords
- inline23×1.74%
- scripts21×1.59%
- csp18×1.36%
- policy11×0.83%
- site11×0.83%
- output9×0.68%
- security9×0.68%
- content8×0.61%
- inline scripts8×0.61%
- unsafe8×0.61%
- wordpress8×0.61%
- hashes7×0.53%
SeaSP Community Edition
SeaSP Community Edition is an automated Content Security Policy Manager. SeaSP allows you to create, configure, manage, and deploy a Content Security Policy for your site. The WordPress SeaSP Community Edition plugin catalogs the domains that appear on your site. Categorize and filter out unwanted domains. Add a layer of WordPress security site from Magecart and other cross-site scripting attacks to keep your WordPress site safe. SeaSP installs a strict non-blocking CSP to collect violation data and provide a violation report. Violation data flows into the WordPress database as a PHP option within the plugin options schema. Violations can be approved by domains and categorized by directives (CSS, fonts, images, JS, etc.). You can also approve base domains and subdomains. The SeaSP UI helps users by explaining what each directive does, and how to use them to create a CSP. After configuring the domain and directive settings switch the CSP to blocking mode. Once the CSP goes into blocking mode, the site’s protected from any unrecognized code. SeaSP Community Edition helps secure your site. Upgrade Notice for 1.4 only When you install this version you will need to rebuild your CSP Usage Once installed, a strict non-blocking report-only CSP is implemented on your site. Visit each page of your site to collect CSP violations. Visit the Current Violations page of the plugin to review domains that have violated a directive in the CSP. Review each of the domains carefully and check for misspellings of common domains like adobee.com instead of adobe.com as this is a common way hackers inject content into your site. If you feel confident that the domain belongs on your site and it should be serving the file type stated, click the toggle to approve the domain to include it in the CSP. If you want to allow subdomains of that domain to be able to serve that type of content, click the Manage subdomains button to view the subdomains. After this process, you might still see CSP violations regarding inline scripts, inline styles, blobs, or data. To allow these this type of content in the community version you must navigate to the Directive Settings page, find the offending directive, then toggle the appropriate option. For convenience, each option has a tooltip explaining what it allows in your CSP. Walk Through A walk through video can be found on YouTube here. Contributing Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change. This project has been tested on WordPress up to version 5.8 on both single and multi-site instances. The project can be found on github. This project is sponsored by Blue Triangle. Third Party Libraries We use Bootstrap for the UI of our plugin to make the interface clean and simple. Bootstraps license can be found here We use bootstrap toggle because simple check boxes can be confusing and we wanted our CSP mangers UI to feel easy. This code was developed for The New York Times by Min Hur and is licensed under MIT License GNU Opt In usage data collection As of version 1.5 users will be able to opt-in for data collection to help us determine how many people are using our plugin and what features we should be working on in future version. This can be managed in the Usage Data Settings page. We collect and send the following data: 1. wordpress version 2. wordpress debug mode 3. wordpress multisite 4. the base url that the plugin is on ex; www.bluetriangle.com This data is only accessible to the Blue Triangle organization and will be used to determine our user base and feature planning.