Plugins DatabasePlugins Database logo
Back to plugins
Homepage WordPress

Actions

DownloadAuthor pageSee on WordPress

Plugin info

Total downloads: 308
Active installs: 10
Total reviews: 0
Average rating: 0
Support threads opened: 1
Support threads resolved: 0 (0%)
Available in: 3 language(s)
Contributors: 2
Last updated: 11/30/2025 (32 days ago)
Added to WordPress: 8/10/2025 (0 years old)
Minimum WordPress version: 6.4
Tested up to WordPress version: 6.9
Minimum PHP version: 7.2

Maintenance & Compatibility

Maintenance score

Actively maintained • Last updated 32 days ago • Support resolved 0%

49/100

Is Strict CSP abandoned?

Likely maintained (last update 32 days ago).

Compatibility

Requires WordPress: 6.4
Tested up to: 6.9
Requires PHP: 7.2

Ratings

0
0
0
0
0See all reviews

Developers

Weston Ruter (Owner)29Weston Ruter8

Languages

German19,853German (Formal)9,953

Similar & Alternatives

Explore plugins with similar tags, and compare key metrics like downloads, ratings, updates, support, and WP/PHP compatibility.

Wordfence Security – Firewall, Malware Scan, and Login Security
Rating 4.7/5 (4,733 reviews)Active installs 5,000,000
Compare
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)
Rating 4.9/5 (8,769 reviews)Active installs 4,000,000
Compare
Jetpack – WP Security, Backup, Speed, & Growth
Rating 3.7/5 (2,351 reviews)Active installs 4,000,000
Compare
Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall
Rating 4.9/5 (1,417 reviews)Active installs 2,000,000
Compare
Hostinger Tools
Rating 2.9/5 (22 reviews)Active installs 2,000,000
Compare
All-In-One Security (AIOS) – Security and Firewall
Rating 4.7/5 (1,677 reviews)Active installs 1,000,000
Compare
See more alternatives to Strict CSP

Description

This plugin enforces a Strict Content Security Policy (CSP) on the frontend and login screen. This helps mitigate cross-site scripting (XSS) vulnerabilities. The policy cannot yet be applied to the WP Admin (see #59446).

In #58664, the manual construction of script tags was eliminated from WP_Scripts and inline scripts on frontend/login screen, thanks to the helper functions which had previously been introduced in #39941. This made it possible to apply Strict CSP, as long as themes and plugins are not directly printing '; // ❌ } add_action( 'wp_footer', 'my_theme_supports_js' );

Instead, do this:

function my_theme_supports_js() {
    wp_print_inline_script_tag( 'document.body.classList.remove("no-js");' ); // ✅
}
add_action( 'wp_footer', 'my_theme_supports_js' );

So in order for scripts to execute, they must be printed using the relevant APIs in WordPress for adding scripts, including wp_enqueue_script(), wp_add_inline_script(), wp_localize_script(), wp_print_script_tag(), wp_print_inline_script_tag(), and wp_enqueue_script_module(). Otherwise, a script’s execution will be blocked and an error will appear in the console, for example:

Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘nonce-9b539cfe47’ ‘unsafe-inline’ ‘strict-dynamic’ https: http:”. Note that ‘unsafe-inline’ is ignored if either a hash or nonce value is present in the source list.

This also blocks scripts inside of event handler attributes, such as onclick, onchange, onsubmit, and onload. As noted on MDN:

Warning: The use of event handler content attributes is discouraged. The mix of HTML and JavaScript often produces unmaintainable code, and the execution of event handler attributes may also be blocked by content security policies.

This plugin also ensures that scripts added to the page from embeds (e.g. Tweets) also get the nonce attribute added.

Installation

Automatic

  1. Visit Plugins > Add New in the WordPress Admin.
  2. Search for Strict CSP.
  3. Install and activate the Strict CSP plugin.
  4. Log out of WordPress and log back in with the “Remember Me” checkbox checked.

You may also install and update via Git Updater using the plugin’s GitHub URL.

Manual

  1. Download the plugin ZIP either from WordPress.org or from GitHub. Alternatively, if you have a local clone of the repo, run npm run plugin-zip.
  2. Visit Plugins > Add New Plugin in the WordPress Admin.
  3. Click Upload Plugin.
  4. Select the strict-csp.zip file on your system from step 1 and click Install Now.
  5. Click the Activate Plugin button.

Frequently Asked Questions

No FAQ available

Review feed

No reviews available

Screenshots

No screenshots available

Changelog

0.3.2

  • Use wp_generate_password() to create CSP nonce instead of using wp_create_nonce(). Props kasparsd. (#13)

0.3.1

  • Update required PHP version to 7.2 instead of 8.1.

0.3.0

  • Add nonce attributes to scripts added by embeds.

0.2.0

  • Disable Strict CSP from Site Editor.
  • Restrict policy to frontend and login screen.

0.1.0

  • Initial release.
Back to plugins