Content Security Policy (CSP)

WARNING: Applying CSP can block scripts, styles, fonts, frames, API calls, or other resources that the site depends on. Applying CSP to WordPress admin can break some plugins or the editor, and saving a preset overwrites directive values unless Custom is selected.

Description of the control

Use this control to enable Content Security Policy, choose whether it applies to the front-end and or WordPress admin, and manage policy values through presets or manual directives. This control is used to reduce the browser’s ability to load unexpected content sources.

Procedure

1. Open Posture Management.
2. Select Transport & Browser Security.
3. In the Content Security Policy (CSP) card, enable Enable CSP.
4. Select one or both scope options as needed: Apply CSP to front-end pages and Apply CSP to WordPress admin.
5. Review the help text for admin scope and test carefully before applying CSP to admin pages.
6. In CSP Preset, choose one of the available options: Strict (most secure, may break site), Balanced (recommended for most WordPress sites), Compatibility (allows most third-party tools), or Custom (manage directives manually).
7. To review a preset before saving, select Preview preset.
8. If you need direct control of policy values, choose Custom and open Configure directives.
9. In the directives dialog, configure any needed values for default-src, script-src, style-src, font-src, img-src, connect-src, frame-ancestors, base-uri, form-action, and object-src.
10. Close the dialog when the directive values are complete.
11. Select Save Transport & Browser Settings.

Validation

After saving, refresh pages in the selected scope and confirm the site behaves as expected. If a preset was used, verify the saved policy reflects that preset, and if Custom was used, verify the directive values match the configured inputs.