Content-Security-Policy (CSP) is an HTTP response header that allows you to control which resources (scripts, styles, images, fonts, etc.) the browser is allowed to load on your page. It is one of the most effective defenses against Cross-Site Scripting (XSS) attacks.
Why CSP Matters
XSS attacks are among the most common web vulnerabilities. An attacker injects malicious JavaScript into your page, which then runs in visitors' browsers. CSP prevents this by specifying exactly which sources are trusted:
- Blocks inline scripts injected by attackers
- Prevents loading of scripts from unauthorized domains
- Reports violations so you can monitor attack attempts
Example Header
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.comCommon Directives
default-src— Fallback policy for all resource types.script-src— Allowed sources for JavaScript.style-src— Allowed sources for CSS.img-src— Allowed sources for images.font-src— Allowed sources for fonts.connect-src— Allowed targets for AJAX, WebSocket, and fetch requests.frame-src— Allowed sources for iframes.
CSP and WordPress
Implementing CSP on WordPress can be challenging because many plugins and themes use inline scripts and styles. Start with Content-Security-Policy-Report-Only to monitor violations without breaking functionality, then gradually tighten the policy.
What InspectWP Checks
InspectWP checks whether your site sends a Content-Security-Policy header. If absent, it indicates that your site has no CSP protection against XSS and other injection attacks.