Back to GD Security Headers Forum

CSP unsafe-hashes question

Published on: June 10, 2022 at 8:34 am · By: ernum


I wanted to ask about unsafe-hashes, will that setting come into module also?

Sucuri scan suggests that: The ‘unsafe-inline’ keyword in Content-Security-Policy is not recommended. Consider using unsafe-hashes or nonces instead.

Or is this also now doable? :)

Best regards

Viewing 1 replies (of 1 total)
  • #74779


    This is very hard to implement and extremly complicated in the way WordPress works. For hashes or nonces to be used, each embeded piece of JavaScript and CSS on each page (and it can be different on each page), has to be processed, hash calculated, modified output to include hash and add hash to CSP, and build different CSP for each page. And, single page can contain 20 or more such blocks, and each has to be processed everytime page is build. And, if you use some cache plugin, it is very likely that plugin would break all that.

    Hashes/Nonces concept is all fine and well on paper, but implementing it on dynamic system like WordPress is next to impossible. So far, I have seen few website that have that, but they have one or two embedded scripts on page, most likely doesn’t change them often, so they did it, but anything more complex is impossible to do.

    So, there are no plans to implement that.


    Dev4Press - Premium plugins for WordPress.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.