Content Security Policy (CSP)

A Content Security Policy (CSP) is an HTTP response header that tells browsers exactly which sources of scripts, styles, images, fonts, and embedded content are allowed to run on a page — used to prevent cross-site scripting and supply-chain attacks by explicitly enumerating trusted origins.

Why CSP matters

• If a malicious script is injected into a page, the browser refuses to execute it unless the script source is in the policy.
• If a trusted third-party (analytics, fonts, embedded widgets) gets compromised, a tight CSP prevents the compromise from spreading to your visitors.
• Federal and EU regulations increasingly assume CSP as part of baseline web hygiene.

The challenge for WordPress sites

A strict CSP is incompatible with the way many WordPress plugins inject inline scripts. Implementing CSP on an existing WordPress site is rarely flip-a-switch — it’s audit every plugin, add nonces for legitimate inline scripts, document exceptions, and tune rules over weeks of monitoring.

How we approach it

• Start in report-only mode: log violations without blocking, so we can see what would break before we enforce.
• Tighten progressively: move from broad allow-lists to specific origins as we identify which plugins, fonts, and embeds the site actually depends on.
• Document the policy: future staff need to know what the policy permits and why, so they don’t blindly relax it when something breaks.