Support » Plugin: HTTP Headers » Content Security Policy Settings

  • Resolved bulls_shark


    Dear Support Team, Unfortunately, I am still very inexperienced with the settings and hope that you can help me and can offer me suitable settings for this option here.

    We use the Revolution Slider, WPBakery Page Builder and have included videos from Youtube and Vimeo and use google fonts or partially self-hosted fonts on some websites as well as data from

    Thank you for your help and time and thanks for the plugin 🙂

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Dimitar Ivanov


    Hi @bulls_shark

    Setting the CSP header seems to be a hard task because it depends of resources used by each particular web-site/page. Thats why there is no a standard recommendation.

    My advice is not to try to setting up all the values at once. Start small. After each change look for errors at the DevTools browser console. Those are enough descriptive to find out which exactly directive to fix.

    However, from your description I will propose this settings:

    default-src 'self'
    script-src 'self'
    style-src 'self'
    img-src data: 'self'
    font-src data: 'self'
    child-src 'self'
    connect-src 'self'

    Hope this helps you.



    My current settings:

    default-src “self”
    script-src “Self” “unsafe-inline”
    style-src “self” “unsafe-inline” data:
    img-src “self”
    connect-src “self”
    font-sec “self”
    media-src “self”
    child-src “self”
    object-src “none”
    frame-src “self”

    When testing the website I reach the rating A, there is only indicated that ‘unsafe-inline’ is critical but needed, otherwise the website does not work.

    I am hosting my own fonts but suddenly I am shown: net :: ERR_ABORTED 400

    Why he suddenly loads the local fonts on google is unclear to me.

    Thanks for the support!



    Hello Dimitar thanks for the quick response and your support!

    I have now adopted your settings. So far, it almost works, unfortunately the Wpbakery Page Builder is no longer in the backend.

    Failed to load resource: the server responded with a status of 400 ( The fonts are registered in the backend itself.

    Best regards



    Hello Wpbakery Page Builder is running with these settings:
    script-src “Self” “unsafe-inline” “unsafe-eval”
    style-src “Self” “unsafe-inline”

    The fonts I have now loaded directly over google. Unfortunately, I find no way that he accepted the self-hosted fonts without error and this does not try to load from google.

    Maybe someone still has a solution?

    Thanks again for the help!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Content Security Policy Settings’ is closed to new replies.