Skip to content

Content Security Policy!

CSP with auto generated nonce

So one of the most difficult things to master when hardening / adding security to a wordpress site is
to get a full content security policy (CSP) to work in wordpress with auto generated nonce.

There are countless articles about CSP and nonce for wordpress and other sites on the internet, but none, and I mean none go into detail on how to actually get it to work, and around 99% of the articles written about nonce and CSP does not work, just a waste of time to read them. And they don’t even have CSP with nonce active and enabled on their site that the article is written on…

It’s such as shame that there is so little information on the internet on how to actually get a fully working CSP with auto generated nonce to work on a site. And not to mention once you get it working on the front-end, it will break a lot of features on the admin portal. Like I had to add a lot more things to my CSP then I wanted because of how wordpress and the plugins for wordpress works.
Currently I still have “unsafe-inline” on my sites, but that is because I use wordpress.

But, it feels amazing to finally have a fully working CSP with auto generated nonce working on my domains. Feel free to take a look below 😀 mine actually works!

https://securityheaders.com/?q=websec.nu&hide=on&followRedirects=on
https://csp-evaluator.withgoogle.com/?csp=https://websec.nu
Tags: