Title: Strict CSP
Author: Weston Ruter
Published: <strong>Onwa-abö 10, 2025</strong>
Last modified: Onwa-ise 30, 2025

---

Search plugins

![](https://ps.w.org/strict-csp/assets/banner-772x250.png?rev=3342167)

![](https://ps.w.org/strict-csp/assets/icon.svg?rev=3342167)

# Strict CSP

 By [Weston Ruter](https://profiles.wordpress.org/westonruter/)

[Download](https://downloads.wordpress.org/plugin/strict-csp.0.3.2.zip)

 * [Details](https://ibo.wordpress.org/plugins/strict-csp/#description)
 * [Reviews](https://ibo.wordpress.org/plugins/strict-csp/#reviews)
 *  [Installation](https://ibo.wordpress.org/plugins/strict-csp/#installation)
 * [Development](https://ibo.wordpress.org/plugins/strict-csp/#developers)

 [Support](https://wordpress.org/support/plugin/strict-csp/)

## Description

This plugin enforces a [Strict Content Security Policy](https://web.dev/articles/strict-csp)(
CSP) on the frontend and login screen. This helps mitigate [cross-site scripting](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/XSS)(
XSS) vulnerabilities. The policy cannot yet be applied to the WP Admin (see [#59446](https://core.trac.wordpress.org/ticket/59446)).

In [#58664](https://core.trac.wordpress.org/ticket/58664), the manual construction
of script tags was eliminated from `WP_Scripts` and inline scripts on frontend/login
screen, thanks to the helper functions which had previously been introduced in [#39941](https://core.trac.wordpress.org/ticket/39941).
This made it possible to apply Strict CSP, as long as themes and plugins are not
directly printing `<script>` tags. Some bundled WordPress core themes [still do this](https://github.com/search?q=repo%3AWordPress%2Fwordpress-develop+path%3A%2F%5Esrc%5C%2Fwp-content%5C%2Fthemes%5C%2F%2F+%2F%3Cscript%5B%5E%3E%5D*%3E%2F&type=code)
incorrectly (which has been reported in Trac as [#63806](https://core.trac.wordpress.org/ticket/63806)).
For example, do not do this:

    ```
    function my_theme_supports_js() {
        echo '<script>document.body.classList.remove("no-js");</script>'; // ❌
    }
    add_action( 'wp_footer', 'my_theme_supports_js' );
    ```

Instead, do this:

    ```
    function my_theme_supports_js() {
        wp_print_inline_script_tag( 'document.body.classList.remove("no-js");' ); // ✅
    }
    add_action( 'wp_footer', 'my_theme_supports_js' );
    ```

So in order for scripts to execute, they must be printed using the relevant APIs
in WordPress for adding scripts, including [`wp_enqueue_script()`](https://developer.wordpress.org/reference/functions/wp_enqueue_script/),
[`wp_add_inline_script()`](https://developer.wordpress.org/reference/functions/wp_add_inline_script/),
[`wp_localize_script()`](https://developer.wordpress.org/reference/functions/wp_localize_script/),
[`wp_print_script_tag()`](https://developer.wordpress.org/reference/functions/wp_print_script_tag/),
[`wp_print_inline_script_tag()`](https://developer.wordpress.org/reference/functions/wp_print_inline_script_tag/),
and [`wp_enqueue_script_module()`](https://developer.wordpress.org/reference/functions/wp_enqueue_script_module/).
Otherwise, a script’s execution will be blocked and an error will appear in the 
console, for example:

> Refused to execute inline script because it violates the following Content Security
> Policy directive: “script-src ‘nonce-9b539cfe47’ ‘unsafe-inline’ ‘strict-dynamic’
> https: http:”. Note that ‘unsafe-inline’ is ignored if either a hash or nonce 
> value is present in the source list.

This also blocks scripts inside of [event handler attributes](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes#event_handler_attributes),
such as `onclick`, `onchange`, `onsubmit`, and `onload`. As noted on MDN:

> Warning: The use of event handler content attributes is discouraged. The mix of
> HTML and JavaScript often produces unmaintainable code, and the execution of event
> handler attributes may also be blocked by content security policies.

This plugin also ensures that scripts added to the page from embeds (e.g. Tweets)
also get the `nonce` attribute added.

## Installation

#### Automatic

 1. Visit **Plugins > Add New** in the WordPress Admin.
 2. Search for **Strict CSP**.
 3. Install and activate the **Strict CSP** plugin.
 4. Log out of WordPress and log back in with the “Remember Me” checkbox checked.

You may also install and update via [Git Updater](https://git-updater.com/) using
the [plugin’s GitHub URL](https://github.com/westonruter/strict-csp).

#### Manual

 1. Download the plugin ZIP either [from WordPress.org](https://downloads.wordpress.org/plugin/strict-csp.zip)
    or [from GitHub](https://github.com/westonruter/strict-csp/archive/refs/heads/main.zip).
    Alternatively, if you have a local clone of the repo, run `npm run plugin-zip`.
 2. Visit **Plugins > Add New Plugin** in the WordPress Admin.
 3. Click **Upload Plugin**.
 4. Select the `strict-csp.zip` file on your system from step 1 and click **Install
    Now**.
 5. Click the **Activate Plugin** button.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Strict CSP” is open source software. The following people have contributed to this
plugin.

Contributors

 *   [ Weston Ruter ](https://profiles.wordpress.org/westonruter/)

“Strict CSP” has been translated into 1 locale. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/strict-csp/contributors)
for their contributions.

[Translate “Strict CSP” into your language.](https://translate.wordpress.org/projects/wp-plugins/strict-csp)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/strict-csp/), check
out the [SVN repository](https://plugins.svn.wordpress.org/strict-csp/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/strict-csp/) by 
[RSS](https://plugins.trac.wordpress.org/log/strict-csp/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 0.3.2

 * Use `wp_generate_password()` to create CSP nonce instead of using `wp_create_nonce()`.
   Props [kasparsd](https://profiles.wordpress.org/kasparsd/). ([#13](https://github.com/westonruter/strict-csp/pull/13))

#### 0.3.1

 * Update required PHP version to 7.2 instead of 8.1.

#### 0.3.0

 * Add `nonce` attributes to scripts added by embeds.

#### 0.2.0

 * Disable Strict CSP from Site Editor.
 * Restrict policy to frontend and login screen.

#### 0.1.0

 * Initial release.

## Community plugin

This plugin is developed and supported by a community. [Contribute to this plugin](https://github.com/westonruter/strict-csp)

## Meta

 *  Version **0.3.2**
 *  Last updated **5 months ago**
 *  Active installations **20+**
 *  WordPress version ** 6.4 or higher **
 *  Tested up to **6.9.4**
 *  PHP version ** 7.2 or higher **
 *  Languages
 * [English (US)](https://wordpress.org/plugins/strict-csp/) and [German](https://de.wordpress.org/plugins/strict-csp/).
 *  [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/strict-csp)
 * Tag
 * [security](https://ibo.wordpress.org/plugins/tags/security/)
 *  [Advanced View](https://ibo.wordpress.org/plugins/strict-csp/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/strict-csp/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/strict-csp/reviews/)

## Contributors

 *   [ Weston Ruter ](https://profiles.wordpress.org/westonruter/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/strict-csp/)