Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on WordPress.

  1. Add the following to your theme's functions.php file:

    add_action('send_headers', function() {
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none';");
});

  2. Alternatively, use a plugin such as "HTTP Headers" or "WP Content Security Policy" to configure CSP without code changes.

  3. Note: WordPress core and many plugins require 'unsafe-inline' for scripts; audit your policy carefully.

Back to top