Nginx Content-Security-Policy (CSP) header for Wordpress

Dec 31st, 2015
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Please note: 'unsafe' declarations like 'unsafe-inline' should not be used as XSS would be allowed
  2. # I have added 'unsafe' declarations as Wordpress themes and plugins are relying on them and I am investigating for a proper minify solution
  4. # Report-Only: For testing purpose use add_header Content-Security-Policy-Report-Only: …
  5. add_header  Content-Security-Policy: "default-src 'self';
  6.         script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.[YOUR-DOMAIN] *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
  7.         style-src 'self' 'unsafe-inline' *.[YOUR-DOMAIN] *.googleapis.com *.bootstrapcdn.com;
  8.         img-src 'self' *.[YOUR-DOMAIN] data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
  9.         frame-src 'self' maps.google.com pastebin.com;
  10.         font-src 'self' data: *.gstatic.com *.bootstrapcdn.com;
  11.         connect-src 'self' *.googletagmanager.com;
  12.         report-uri /csp-report.php";
  14. add_header  X-Content-Security-Policy: "default-src 'self';
  15.         script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.[YOUR-DOMAIN] *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
  16.         style-src 'self' 'unsafe-inline' *.[YOUR-DOMAIN] *.googleapis.com *.bootstrapcdn.com;
  17.         img-src 'self' *.[YOUR-DOMAIN] data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
  18.         frame-src 'self' maps.google.com pastebin.com;
  19.         font-src 'self' data: *.gstatic.com *.bootstrapcdn.com;
  20.         connect-src 'self' *.googletagmanager.com;
  21.         report-uri /csp-report.php";
  23. add_header  X-WebKit-CSP: "default-src 'self';
  24.         script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.[YOUR-DOMAIN] *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
  25.         style-src 'self' 'unsafe-inline' *.[YOUR-DOMAIN] *.googleapis.com *.bootstrapcdn.com;
  26.         img-src 'self' *.[YOUR-DOMAIN] data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
  27.         frame-src 'self' maps.google.com pastebin.com;
  28.         font-src 'self' data: *.gstatic.com *.bootstrapcdn.com;
  29.         connect-src 'self' *.googletagmanager.com;
  30.         report-uri /csp-report.php";
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.