Does anyone have experience or advice on integrating a large, existing WordPress site with Content-Security-Policy?
My employer wants CSP added to our site, and I’m really struggling with it because we have a lot of one-off scripts on 100s of pages to show information such as “You’ll earn $X/hr for this degree” (I work in education). And that’s just one area we’re having trouble with.
Another issue is that we use WP-Super Cache and it seems to be caching the HTML after the page is sent to the browser, so none of the nonces match the request nonce. Is there a feature in WP-Super Cache or a different recommended caching plugin that will save the HTML after PHP builds the page, but before NGINX sends it back to the browser? Using nginx, we replace a secret key with the request nonce, but wp-super-cache seems to be getting the nonce itself, rather than the secret key that we stored with the site.
What are best practices for adding CSP? Am I going about this the wrong way? If this isn’t the right place to ask this, can someone direct me where I might find better resources?
[ad_2]