Этот плагин не тестировался с последними 3 основными выпусками WordPress. Скорее всего, он уже не поддерживается и может быть несовместим с текущими версиями WordPress.

Content Security Policy Pro


The idea is quite simple: By sending a CSP header from a website, you are telling the browser what it is authorized to execute and what it is authorized to block. And by doing this, Content Security Policy helps block the XSS vulnerabilities.
CSP allows a host to specify a whitelist of approved sources that a browser can load content from and is an effective countermeasure for XSS attacks.
Content Security Policy is delivered via a HTTP response header, much like HSTS, and defines approved sources of content that the browser may load. It can be an effective countermeasure to Cross Site Scripting (XSS) attacks and is also widely supported and usually easily deployed.

CSP Directives
* default-src: Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback),
* script-src: Define which scripts the protected resource can execute,
* object-src: Define from where the protected resource can load plugins,
* style-src: Define which styles (CSS) the user applies to the protected resource,
* img-src: Define from where the protected resource can load images,
* media-src: Define from where the protected resource can load video and audio,
* frame-src: Define from where the protected resource can embed frames,
* font-src: Define from where the protected resource can load fonts,
* connect-src: Define which URIs the protected resource can load using script interfaces,
* form-action: Define which URIs can be used as the action of HTML form elements,
* sandbox: Specifies an HTML sandbox policy that the user agent applies to the protected resource,
* script-nonce: Define script execution by requiring the presence of the specified nonce on script elements,
* plugin-types: Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded,
* reflected-xss: Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header,
* report-uri: Specifies a URI to which the user agent sends reports about policy violation

Written By

This plugin was written by Laxman Thapa, Web Developer.


  • Basic setup
  • Templates
  • Source list reference


  1. Install using the WordPress built-in Plugin installer, or Extract the zip file and drop the contents in the wp-content/plugins/ directory of your WordPress installation.
  2. Activate the plugin through the ‘Plugins’ menu in WordPress.
  3. Go to ADMIN > WP CSP
  4. Now you you add directive rules on this page

For more info on the directives check @ html5 rocks or smashingmagazine.com.

Часто задаваемые вопросы

I am confused with all the settings. What settings should I use?

First, I suggest to go through the CSP in detail. html5 rocks or smashingmagazine.com will help you understand more on CSP. Then you can use one of the templates or check the list refernce. Check the screenshots.


Ok you need to know what the CSP terms and options mean, else it won’t work. Easy to get the CSP wrong, and block stuff your site needs to function. It’s huge advantage is that it sets the CSP for the front end, and not for the wp-admin back end. Works really well on 5.5. GeneratePress & Gutenberg blocks
With CSP (Content Security Policy) being a bit of a complicated issue to deal with, and having tested several configurations over the course of th4e past 3 days, this plugin just makes it so simple to implement a CSP to your website without breaking it. The developer is a genius! Thank you — I am very grateful for your time developing this plugin. Best Regards.
This is a very nice plugin that makes it much easier to set up a content security policy. It even comes with a starter set. The options are pretty well documented and there are links to external sources. One suggestion I would like to see is the ability to run this in «report» mode too. I had to do a lot of testing to make sure I wasn’t blocking anything.
Посмотреть все 5 отзывов

Участники и разработчики

«Content Security Policy Pro» — проект с открытым исходным кодом. В развитие плагина внесли свой вклад следующие участники:


Перевести «Content Security Policy Pro» на ваш язык.

Заинтересованы в разработке?

Посмотрите код, проверьте SVN репозиторий, или подпишитесь на журнал разработки по RSS.

Журнал изменений


  • The css & js files specific to CSP admin page are loaded only while on this plugin page


  • tested the plugin on WordPress version 4.6.1


  • FIXED — The CSP header is sent only for front end pages


  • ADDED report-uri directive