No unsafe-inline

This plugin assists site administrators and developers in implementing a strict Content Security Policy (CSP) for their CMS-based projects. It is designed for those who need to enhance site security against cross-site scripting (XSS) and other injection attacks by moving away from permissive 'unsafe-inline' directives. The process involves analyzing site content and providing a structured method to authorize legitimate scripts.

• Automated Script Discovery: During a capture phase, the plugin detects all scripts, styles, and embedded content across your site's pages and catalogs them for review.
• Machine Learning Clustering: It groups similar inline scripts, which are often generated dynamically, allowing you to authorize entire categories of scripts based on a single approved example.
• Multiple Authorization Methods: You can choose to authorize external scripts using Subresource Integrity hashes and inline scripts using either cryptographic hashes or dynamically generated nonces.
• Code Refactoring Assistance: The plugin can automatically refactor HTML event attributes (like onclick) and inline styles into safer alternatives, such as moving them to dedicated script blocks or internal CSS, to avoid using 'unsafe-hashes'.
• Policy Testing and Reporting: It includes a testing mode to generate a temporary policy and capture violations, helping you iteratively build a complete and functional CSP. You can also configure endpoints to receive violation reports.