Strict CSP

This plugin protects your site from cross-site scripting (XSS) attacks by enforcing a Strict Content Security Policy (CSP) on the frontend and login screen. It is designed for site owners and developers who want to harden their site against script injection without breaking legitimate functionality.

• Nonce-based script execution: The plugin assigns a unique cryptographic nonce to every allowed script. Only scripts with the correct nonce will execute, blocking unauthorized inline scripts and event handlers like onclick or onload.
• Automatic embed support: Scripts added by embeds (e.g., Tweets) automatically receive the nonce attribute, ensuring third-party content remains functional under the policy.
• Admin area exclusion: The policy is not applied to the WordPress Admin, preventing compatibility issues with admin plugins that may not use the required script APIs.
• Developer guidance: The plugin encourages best practices by requiring themes and plugins to use WordPress functions like wp_print_inline_script_tag() or wp_enqueue_script() instead of directly printing <script> tags. Scripts that bypass these APIs will be blocked and logged in the browser console.
• Compatibility with modern WordPress: Tested up to WordPress 6.9, the plugin leverages core improvements that eliminated manual script tag construction, making Strict CSP feasible for most sites.