Title: Strict CSP
Author: Weston Ruter
Published: <strong>10.08.2025</strong>
Last modified: 19.05.2026

---

Поиск плагинов

![](https://ps.w.org/strict-csp/assets/banner-772x250.png?rev=3342167)

![](https://ps.w.org/strict-csp/assets/icon.svg?rev=3342167)

# Strict CSP

 Автор: [Weston Ruter](https://profiles.wordpress.org/westonruter/)

[Скачать](https://downloads.wordpress.org/plugin/strict-csp.0.3.2.zip)

 * [Детали](https://ru.wordpress.org/plugins/strict-csp/#description)
 * [Отзывы](https://ru.wordpress.org/plugins/strict-csp/#reviews)
 *  [Установка](https://ru.wordpress.org/plugins/strict-csp/#installation)
 * [Разработка](https://ru.wordpress.org/plugins/strict-csp/#developers)

 [Поддержка](https://wordpress.org/support/plugin/strict-csp/)

## Описание

This plugin enforces a [Strict Content Security Policy](https://web.dev/articles/strict-csp)(
CSP) on the frontend and login screen. This helps mitigate [cross-site scripting](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/XSS)(
XSS) vulnerabilities. The policy cannot yet be applied to the WP Admin (see [#59446](https://core.trac.wordpress.org/ticket/59446)).

In [#58664](https://core.trac.wordpress.org/ticket/58664), the manual construction
of script tags was eliminated from `WP_Scripts` and inline scripts on frontend/login
screen, thanks to the helper functions which had previously been introduced in [#39941](https://core.trac.wordpress.org/ticket/39941).
This made it possible to apply Strict CSP, as long as themes and plugins are not
directly printing `<script>` tags. Some bundled WordPress core themes [still do this](https://github.com/search?q=repo%3AWordPress%2Fwordpress-develop+path%3A%2F%5Esrc%5C%2Fwp-content%5C%2Fthemes%5C%2F%2F+%2F%3Cscript%5B%5E%3E%5D*%3E%2F&type=code)
incorrectly (which has been reported in Trac as [#63806](https://core.trac.wordpress.org/ticket/63806)).
For example, do not do this:

    ```
    function my_theme_supports_js() {
        echo '<script>document.body.classList.remove("no-js");</script>'; // ❌
    }
    add_action( 'wp_footer', 'my_theme_supports_js' );
    ```

Instead, do this:

    ```
    function my_theme_supports_js() {
        wp_print_inline_script_tag( 'document.body.classList.remove("no-js");' ); // ✅
    }
    add_action( 'wp_footer', 'my_theme_supports_js' );
    ```

So in order for scripts to execute, they must be printed using the relevant APIs
in WordPress for adding scripts, including [`wp_enqueue_script()`](https://developer.wordpress.org/reference/functions/wp_enqueue_script/),
[`wp_add_inline_script()`](https://developer.wordpress.org/reference/functions/wp_add_inline_script/),
[`wp_localize_script()`](https://developer.wordpress.org/reference/functions/wp_localize_script/),
[`wp_print_script_tag()`](https://developer.wordpress.org/reference/functions/wp_print_script_tag/),
[`wp_print_inline_script_tag()`](https://developer.wordpress.org/reference/functions/wp_print_inline_script_tag/),
and [`wp_enqueue_script_module()`](https://developer.wordpress.org/reference/functions/wp_enqueue_script_module/).
Otherwise, a script’s execution will be blocked and an error will appear in the 
console, for example:

> Refused to execute inline script because it violates the following Content Security
> Policy directive: «script-src ‘nonce-9b539cfe47’ ‘unsafe-inline’ ‘strict-dynamic’
> https: http:». Note that ‘unsafe-inline’ is ignored if either a hash or nonce 
> value is present in the source list.

This also blocks scripts inside of [event handler attributes](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes#event_handler_attributes),
such as `onclick`, `onchange`, `onsubmit`, and `onload`. As noted on MDN:

> Warning: The use of event handler content attributes is discouraged. The mix of
> HTML and JavaScript often produces unmaintainable code, and the execution of event
> handler attributes may also be blocked by content security policies.

This plugin also ensures that scripts added to the page from embeds (e.g. Tweets)
also get the `nonce` attribute added.

## Установка

#### Automatic

 1. Visit **Plugins > Add New** in the WordPress Admin.
 2. Search for **Strict CSP**.
 3. Install and activate the **Strict CSP** plugin.
 4. Log out of WordPress and log back in with the “Remember Me” checkbox checked.

You may also install and update via [Git Updater](https://git-updater.com/) using
the [plugin’s GitHub URL](https://github.com/westonruter/strict-csp).

#### Manual

 1. Download the plugin ZIP either [from WordPress.org](https://downloads.wordpress.org/plugin/strict-csp.zip)
    or [from GitHub](https://github.com/westonruter/strict-csp/archive/refs/heads/main.zip).
    Alternatively, if you have a local clone of the repo, run `npm run plugin-zip`.
 2. Visit **Plugins > Add New Plugin** in the WordPress Admin.
 3. Click **Upload Plugin**.
 4. Select the `strict-csp.zip` file on your system from step 1 and click **Install
    Now**.
 5. Click the **Activate Plugin** button.

## Отзывы

Нет отзывов об этом плагине.

## Участники и разработчики

«Strict CSP» — проект с открытым исходным кодом. В развитие плагина внесли свой 
вклад следующие участники:

Участники

 *   [ Weston Ruter ](https://profiles.wordpress.org/westonruter/)

«Strict CSP» переведён на 1 язык. Благодарим [переводчиков](https://translate.wordpress.org/projects/wp-plugins/strict-csp/contributors)
за их работу.

[Перевести «Strict CSP» на ваш язык.](https://translate.wordpress.org/projects/wp-plugins/strict-csp)

### Заинтересованы в разработке?

[Посмотрите код](https://plugins.trac.wordpress.org/browser/strict-csp/), проверьте
[SVN репозиторий](https://plugins.svn.wordpress.org/strict-csp/), или подпишитесь
на [журнал разработки](https://plugins.trac.wordpress.org/log/strict-csp/) по [RSS](https://plugins.trac.wordpress.org/log/strict-csp/?limit=100&mode=stop_on_copy&format=rss).

## Журнал изменений

#### 0.3.2

 * Use `wp_generate_password()` to create CSP nonce instead of using `wp_create_nonce()`.
   Props [kasparsd](https://profiles.wordpress.org/kasparsd/). ([#13](https://github.com/westonruter/strict-csp/pull/13))

#### 0.3.1

 * Update required PHP version to 7.2 instead of 8.1.

#### 0.3.0

 * Add `nonce` attributes to scripts added by embeds.

#### 0.2.0

 * Disable Strict CSP from Site Editor.
 * Restrict policy to frontend and login screen.

#### 0.1.0

 * Initial release.

## Плагин сообщества

Этот плагин разработан и поддерживается сообществом. [Внесите свой вклад в этот плагин](https://github.com/westonruter/strict-csp)

## Мета

 *  Версия **0.3.2**
 *  Обновление: **2 недели назад**
 *  Активных установок: **40+**
 *  Версия WordPress ** 6.4 или выше **
 *  Совместим вплоть до: **7.0**
 *  Версия PHP ** 7.2 или выше **
 *  Языки
 * [English (US)](https://wordpress.org/plugins/strict-csp/) и [German](https://de.wordpress.org/plugins/strict-csp/).
 *  [Перевести на ваш язык](https://translate.wordpress.org/projects/wp-plugins/strict-csp)
 * Метка:
 * [security](https://ru.wordpress.org/plugins/tags/security/)
 *  [Дополнительно](https://ru.wordpress.org/plugins/strict-csp/advanced/)

## Оценки

Пока что нет ни одного отзыва.

[Your review](https://wordpress.org/support/plugin/strict-csp/reviews/#new-post)

[Посмотреть всеотзывы](https://wordpress.org/support/plugin/strict-csp/reviews/)

## Участники

 *   [ Weston Ruter ](https://profiles.wordpress.org/westonruter/)

## Поддержка

Есть что сказать? Нужна помощь?

 [Перейти в форум поддержки](https://wordpress.org/support/plugin/strict-csp/)