Anyone Integrate Content-Security-Policy with WordPress?

Does anyone have experience or advice on integrating a large, existing WordPress site with Content-Security-Policy?

My employer wants CSP added to our site, and I’m really struggling with it because we have a lot of one-off scripts on 100s of pages to show information such as “You’ll earn $X/hr for this degree” (I work in education). And that’s just one area we’re having trouble with.

Another issue is that we use WP-Super Cache and it seems to be caching the HTML after the page is sent to the browser, so none of the nonces match the request nonce. Is there a feature in WP-Super Cache or a different recommended caching plugin that will save the HTML after PHP builds the page, but before NGINX sends it back to the browser? Using nginx, we replace a secret key with the request nonce, but wp-super-cache seems to be getting the nonce itself, rather than the secret key that we stored with the site.

What are best practices for adding CSP? Am I going about this the wrong way? If this isn’t the right place to ask this, can someone direct me where I might find better resources?


This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer