G2A Many GEOs
SHARE
TWEET

Nginx Content-Security-Policy (CSP) header for Wordpress

mikeg_de Dec 31st, 2015 (edited) 1,243 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Please note: 'unsafe' declarations like 'unsafe-inline' should not be used as XSS would be allowed
  2. # I have added 'unsafe' declarations as Wordpress themes and plugins are relying on them and I am investigating for a proper minify solution
  3.  
  4. # Report-Only: For testing purpose use add_header Content-Security-Policy-Report-Only: …
  5. add_header  Content-Security-Policy: "default-src 'self';
  6.         script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.[YOUR-DOMAIN] *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
  7.         style-src 'self' 'unsafe-inline' *.[YOUR-DOMAIN] *.googleapis.com *.bootstrapcdn.com;
  8.         img-src 'self' *.[YOUR-DOMAIN] data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
  9.         frame-src 'self' maps.google.com pastebin.com;
  10.         font-src 'self' data: *.gstatic.com *.bootstrapcdn.com;
  11.         connect-src 'self' *.googletagmanager.com;
  12.         report-uri /csp-report.php";
  13.  
  14. add_header  X-Content-Security-Policy: "default-src 'self';
  15.         script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.[YOUR-DOMAIN] *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
  16.         style-src 'self' 'unsafe-inline' *.[YOUR-DOMAIN] *.googleapis.com *.bootstrapcdn.com;
  17.         img-src 'self' *.[YOUR-DOMAIN] data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
  18.         frame-src 'self' maps.google.com pastebin.com;
  19.         font-src 'self' data: *.gstatic.com *.bootstrapcdn.com;
  20.         connect-src 'self' *.googletagmanager.com;
  21.         report-uri /csp-report.php";
  22.  
  23. add_header  X-WebKit-CSP: "default-src 'self';
  24.         script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.[YOUR-DOMAIN] *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
  25.         style-src 'self' 'unsafe-inline' *.[YOUR-DOMAIN] *.googleapis.com *.bootstrapcdn.com;
  26.         img-src 'self' *.[YOUR-DOMAIN] data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
  27.         frame-src 'self' maps.google.com pastebin.com;
  28.         font-src 'self' data: *.gstatic.com *.bootstrapcdn.com;
  29.         connect-src 'self' *.googletagmanager.com;
  30.         report-uri /csp-report.php";
RAW Paste Data
Ledger Nano X - The secure hardware wallet
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top