External/wordpress-csp-example
1
0
Fork 0
mirror of https://github.com/dan-bailey/wordpress-csp-example.git synced 2026-06-09 06:38:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Example file uploaded.

Browse Source
This commit is contained in:
Dan Bailey
2021-08-19 13:33:11 -05:00
committed by GitHub
parent 0eefe78b50
commit 89ac8c0a3a
1 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
wp_csp.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
// This puts the lotion in the--nevermind, it shows you how to insert a Content Security Policy (or other HTTP Header) in Wordpress.
// Add this to your functions.php file (after modifying the CSP parts to suit your needs).
function cspInsert() {
// final CSP built as chunks for easier maintenance
// create the nonce for javascript
$GLOBALS['nonce'] = base64_encode(random_bytes(16)); // generate a nonce
$cspStart = "Content-Security-Policy: ";
$cspDefault = "default-src 'none'; ";
$cspScriptHeader = "script-src 'self' 'nonce-".$GLOBALS['nonce']."' 'unsafe-inline' 'unsafe-eval' ";
$cspScriptSites = "https://*.google.com https://connect.facebook.net; ";
$cspStyle = "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/; ";
$cspImages = "img-src 'self' data: https://secure.gravatar.com https://twin-iq.kickfire.com https://www.rumiview.com https://track.hubspot.com/; ";
$cspFonts = "font-src 'self' data: https://fonts.gstatic.com; ";
$cspConnect = "connect-src 'self' https://api.hubapi.com/hs-script-loader-public/v1/config/pixel/json https://hits-i.iubenda.com/write; ";
$cspFrames = "frame-src 'self' https://www.google.com https://www.youtube.com; ";
$cspForms = "form-action 'self';";
$cspTotal = $cspStart.$cspDefault.$cspScriptHeader.$cspScriptSites.$cspStyle.$cspImages.$cspFonts.$cspConnect.$cspFrames.$cspForms;
header($cspTotal);
}
add_action('send_headers', 'cspInsert', 1);
?>