Content-Security-Policy (CSP) ‘unsafe-inline’

  • Hello,

    WP admin (core) appears to require the ‘unsafe-line’ value for the ‘script-src’ CSP directive. The ‘unsafe-line’ value is also used in your screenshot example (https://ps.w.org/http-security/assets/screenshot-2.png?rev=1665126).

    However, including ‘unsafe-line’ producing the warning, “This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive.” using the security header scanning tool you recommend (https://securityheaders.com/?q=villagebankmortgage.com&followRedirects=on). It’s my understanding that allowing ‘unsafe-inline’ is one of the most common ways a WordPress website can be compromised.

    How can we set a Content-Security-Policy for WordPress Admin that does not produce any security warnings?

    Thank you

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Content-Security-Policy (CSP) ‘unsafe-inline’’ is closed to new replies.