The original post: /r/nginx by /u/chench0 on 2024-08-11 13:49:29.

I am a beginner when it comes to nginx and ever since adding a CSP to my self hosted Wordpress website, some of my content stopped displaying properly. Upon reviewing my browser console, I ended up having to add ‘unsafe-inline’ to the CSP but I discovered that this is not safe. Here’s my CSP:

    add_header Content-Security-Policy "default-src 'self'; script-src 'self' blob: 'unsafe-inline' https://js.stripe.com https://www.google-analytics.com/analytics.js https://www.gstatic.com https://www.googletagmanager.com/gtag/js https://www.googletagmanager.com 'unsafe-eval'; style-src https://www.gstatic.com https://cdn.jsdelivr.net https://use.fontawesome.com 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; font-src 'self' data: https://fonts.gstatic.com https://s0.wp.com https://use.fontawesome.com; frame-src 'self' https: blob:; img-src 'self' data: https://ts.w.org https://www.google-analytics.com https://lh3.googleusercontent.com https://secure.gravatar.com https://ps.w.org; manifest-src 'self'; connect-src 'self' data: https://www.google-analytics.com/ https://analytics.google.com/;  media-src 'self'";

Some research has lead me to having to use Nonces instead of unsafe-inline but I believe I would also need to edit the scripts? The items the use the unsafe-inline section are plugins that I can’t edit directly since I am using Wordpress.

What are my options to make this safer?

Some more context: I self host Wordpress on a Ubuntu VM (Apache) that sits behind another Ubuntu VM running Nginx. DNS is handled by Cloudflare.