Content Security Policy Manager

A WordPress plugin for discovering, configuring, and enforcing Content-Security-Policy headers. Built for WordPress 6.4+ and PHP 8.1+.

The plugin can be used for discovering and tightening an existing policy, or as a starting point for new projects. It emits both Content-Security-Policy-Report-Only and Content-Security-Policy headers so you can test in Report Only mode before enforcing.

Important! Running in discovery mode on a live site will check every resource against the policy and may generate a large number of violation reports, and could significantly impact performance of the page. Use with caution on high-traffic sites. Prefferably run it for short periods of time whe needed.

Features

• Three modes — Disabled, Report Only (discover mode), and Enforce.
• Violation log — Browsers report blocked resources to a REST endpoint; violations are stored in a custom DB table, grouped by origin and directive, and displayed in the admin UI.
• Add to allowlist — One click adds the blocked origin to the correct directive in your policy.
• Reporting API support — Emits both report-uri (legacy, Safari ≤15 fallback) and report-to csp-endpoint (modern batched Reporting API) so browsers buffer and batch violation reports instead of sending one HTTP request per violation.
• Nonce injection — Optionally generates a per-request cryptographic nonce, injects it into the CSP header, and adds it to every <script> and <style> tag rendered by WordPress core APIs (requires WP 6.3+).
• strict-dynamic support — Optional. When nonces are enabled, 'strict-dynamic' can be injected into script-src so scripts loaded by nonce-bearing scripts (e.g. GTM tags) are also trusted by modern browsers.
• Violation retention — Configurable retention period (1-365 days). Automatic daily cleanup via WP-Cron. Cleanup only runs in Report Only mode — in Enforce mode violations are preserved as a rollback audit trail.
• Export — Download violation log as JSON or CSV.
• Safe defaults — A fresh install ships with a broad but valid starting policy (see Default policy) so Report Only mode produces meaningful reports immediately.