Title: Content-Security-Policy
Last modified: September 27, 2020

---

# Content-Security-Policy

 *  [galix](https://wordpress.org/support/users/galix/)
 * (@galix)
 * [5 years, 7 months ago](https://wordpress.org/support/topic/content-security-policy-23/)
 * HI Ivanov, congratulation for this great plugin.
    I have few questions. As I 
   add base-uri-none through the plugin, my website crashed, but fortunately I manage
   to recover it.
 * A: After this crash I would like to have your adv if possible.
    I am checking
   security with Webbkoll scan and this is the result: stuff.[https://prnt.sc/uodl25](https://prnt.sc/uodl25)
   n.6 (in red) of them needs improvement in CSP.In order from 1 to 6, which of 
   them I can easily improve by using your plugin?
 * B: I checked the basic settings on [https://zinoui.com/blog/http-headers-for-wordpress](https://zinoui.com/blog/http-headers-for-wordpress).
   Can you pls check if are ok and will not crash my site again?
    Content-Security-
   Policy: default-src ‘self’; script-src ‘unsafe-inline’ ‘unsafe-eval’ http:; style-
   src ‘unsafe-inline’ http:; img-src http: data:; font-src http: data:; sandbox
   allow-forms allow-scripts My site: [http://www.wooowlook.com](http://www.wooowlook.com)
   Best Regards

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Plugin Author [Dimitar Ivanov](https://wordpress.org/support/users/zinoui/)
 * (@zinoui)
 * [5 years, 7 months ago](https://wordpress.org/support/topic/content-security-policy-23/#post-13461381)
 * Hi [@galix](https://wordpress.org/support/users/galix/)
 * A. Actually you can configure all those 6 throughout this plugin. The question
   is: do you really need this? Setting up the CSP header depends of how your website
   is build, your code structure, and what external libraries you are using. So,
   sometimes ‘unsafe-inline’ is just ok.
 * B. I don’t know if this configuration will break your site. If you have SSL probably
   yes. My advise is to start with something simple, for example default-src ‘self’.
   Most probably this will break your site, so edit your .htaccess manually. Then
   open your website and DevTools console. There you will find what exactly browser
   policy is violated. So you can easily add those to your CSP configuration. You
   need to do this for every page of your website until no errors left. I know this
   is more Dev approach, but I found it as most effective.
 *  Plugin Author [Dimitar Ivanov](https://wordpress.org/support/users/zinoui/)
 * (@zinoui)
 * [5 years, 7 months ago](https://wordpress.org/support/topic/content-security-policy-23/#post-13461407)
 * B. If you don’t feel comfortable to edit .htaccess file manually or just prefer
   to use the plugin you can do the following:
    (How to configure the script-src)
   Go to every page of your website, hit the view source, and search for <script
   > tags. If their src attribute point to external location, you need to add it
   origin to script-src directive. If you have some inline script, add ‘unsafe-inline’.
   Add ‘self’ to allow scripts that comes from your website.
 * Then repeat the same for style-src, font-src, img-src, and so on.
 * Hope this helps you.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Content-Security-Policy’ is closed to new replies.

 * ![](https://ps.w.org/http-headers/assets/icon-128x128.png?rev=1413576)
 * [HTTP Headers](https://wordpress.org/plugins/http-headers/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/http-headers/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/http-headers/)
 * [Active Topics](https://wordpress.org/support/plugin/http-headers/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/http-headers/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/http-headers/reviews/)

## Tags

 * [CSP](https://wordpress.org/support/topic-tag/csp/)

 * 2 replies
 * 2 participants
 * Last reply from: [Dimitar Ivanov](https://wordpress.org/support/users/zinoui/)
 * Last activity: [5 years, 7 months ago](https://wordpress.org/support/topic/content-security-policy-23/#post-13461407)
 * Status: not resolved