Nginx Content-Security-Policy (CSP) header for Wordpress

Dec 31st, 2015
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Please note: 'unsafe' declarations like 'unsafe-inline' should not be used as XSS would be allowed
  2. # I have added 'unsafe' declarations as Wordpress themes and plugins are relying on them and I am investigating for a proper minify solution
  4. # Report-Only: For testing purpose use add_header Content-Security-Policy-Report-Only: …
  5. add_header  Content-Security-Policy: "default-src 'self';
  6.         script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.[YOUR-DOMAIN] *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
  7.         style-src 'self' 'unsafe-inline' *.[YOUR-DOMAIN] *.googleapis.com *.bootstrapcdn.com;
  8.         img-src 'self' *.[YOUR-DOMAIN] data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
  9.         frame-src 'self' maps.google.com pastebin.com;
  10.         font-src 'self' data: *.gstatic.com *.bootstrapcdn.com;
  11.         connect-src 'self' *.googletagmanager.com;
  12.         report-uri /csp-report.php";
  14. add_header  X-Content-Security-Policy: "default-src 'self';
  15.         script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.[YOUR-DOMAIN] *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
  16.         style-src 'self' 'unsafe-inline' *.[YOUR-DOMAIN] *.googleapis.com *.bootstrapcdn.com;
  17.         img-src 'self' *.[YOUR-DOMAIN] data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
  18.         frame-src 'self' maps.google.com pastebin.com;
  19.         font-src 'self' data: *.gstatic.com *.bootstrapcdn.com;
  20.         connect-src 'self' *.googletagmanager.com;
  21.         report-uri /csp-report.php";
  23. add_header  X-WebKit-CSP: "default-src 'self';
  24.         script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.[YOUR-DOMAIN] *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com;
  25.         style-src 'self' 'unsafe-inline' *.[YOUR-DOMAIN] *.googleapis.com *.bootstrapcdn.com;
  26.         img-src 'self' *.[YOUR-DOMAIN] data: *.google-analytics.com *.gstatic.com *.gravatar.com *.w.org;
  27.         frame-src 'self' maps.google.com pastebin.com;
  28.         font-src 'self' data: *.gstatic.com *.bootstrapcdn.com;
  29.         connect-src 'self' *.googletagmanager.com;
  30.         report-uri /csp-report.php";
RAW Paste Data