Technical guide on implementing a Content Security Policy (CSP) for WordPress. Learn to mitigate XSS and data injection attacks by configuring Nginx headers on your Hovixa VPS.
Implementing a Content Security Policy (CSP) for WordPress Headers
A Content Security Policy (CSP) is a powerful security layer that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. By defining a CSP, you tell the browser exactly which domains are "trusted" sources for scripts, styles, and images. On a Hovixa VPS, the most efficient way to implement this is via your Nginx configuration, ensuring the policy is enforced before WordPress even begins to process the request.
1. The Logic of a "Default-Src" Policy
A CSP works by using directives to define allowed sources for different content types. The most restrictive and secure approach is to start with a default-src 'self' policy, which blocks everything not explicitly allowed from your own domain.
Primary Directives for WordPress:
- script-src: Defines allowed sources for JavaScript.
- style-src: Defines allowed sources for CSS.
- img-src: Defines allowed sources for images.
- frame-ancestors: Prevents clickjacking by defining who can embed your site in an iframe.
2. Implementing CSP via Nginx
For high-performance Hovixa environments, adding the policy to your Nginx server block avoids the PHP overhead of using a WordPress plugin. Note that WordPress often requires 'unsafe-inline' and 'unsafe-eval' for certain plugins and the block editor (Gutenberg) to function, though this should be minimized where possible.
# Add this inside your Nginx 'server' block
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://secure.gravatar.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'none';";
3. Common WordPress CSP Requirements
| Resource | Required Source Value |
|---|---|
| Google Fonts | `https://fonts.googleapis.com` and `https://fonts.gstatic.com` |
| Gravatar | `https://secure.gravatar.com` |
| YouTube Embeds | `https://www.youtube.com` and `https://s.ytimg.com` |
| Google Analytics | `https://www.google-analytics.com` |
4. Testing with "Report-Only" Mode
A strict CSP can easily "break" your site by blocking legitimate scripts. Before going live, use the Content-Security-Policy-Report-Only header. This will log violations to the browser console without actually blocking the resources.
# Use this for testing
add_header Content-Security-Policy-Report-Only "default-src 'self'; ...";
5. Technical Implementation Details
- Nonces: The most secure CSPs use a "nonce" (number used once) to allow specific inline scripts while blocking others. However, implementing nonces in WordPress is complex and usually requires a dedicated security plugin to hook into
wp_enqueue_script. - Subresource Integrity (SRI): While CSP controls where scripts come from, SRI ensures the content of the script hasn't been tampered with by verifying a cryptographic hash.
- Inheritance: If you use a Multi-site setup on Hovixa, remember that subdomains or subdirectories will inherit the parent's CSP unless explicitly overridden in their specific location blocks.
Sysadmin Advice: Use a tool like **CSP Evaluator** (by Google) to paste your header and check for "high-severity" bypasses. Most WordPress sites struggle to remove `'unsafe-inline'`, but ensuring you have a strict `frame-ancestors 'none'` or `'self'` is a critical first step in stopping clickjacking.
