CSP for WordPress, Drupal, and Joomla: Working Examples
Every CMS platform fights CSP in its own way. WordPress injects inline scripts everywhere. Drupal has its own asset management layer. Joomla plugins do whatever they want with no regard for security headers. Here are working CSP configurations for each, based on real deployments I’ve done. These won’t break your site — I’ve tested them. WordPress WordPress is the hardest because of how many things inject inline scripts. The Gutenberg editor, plugins, themes, and WordPress core itself all add JavaScript dynamically. The admin panel is essentially impossible to fully lock down. ...