Same here.
After updating the plugin today, my site’s login form stopped working because the Google reCAPTCHA field was always empty. Checking the browser console revealed multiple Content Security Policy (CSP) violations introduced by the plugin.
The update enforced an overly strict CSP that blocked external scripts, styles, and fonts — including essential sources for Google reCAPTCHA (https://www.google.com and https://www.gstatic.com), Google Fonts, and Font Awesome. As a result, the reCAPTCHA script never loaded, preventing the form from submitting.
Deactivating the plugin immediately resolved the issue, confirming that the new CSP rules were the cause. I will keep it deactivated until I here that there has been a fix.
Quick update: We also noticed these console errors, also related to missing CSP policies falling back to the strict default. It’s possible there’s more:
Loading the script 'URL_REMOVED' violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'scrip-src-elem' was not explicitly set, so 'style-src' is used as a fallback. The action has been blocked.
Loading the stylesheet 'URL_REMOVED' violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback. The action has been blocked.
hi @freshylance @aristocles,
Thank you for your feedback and patience. After investigating the reported issues, I’ve identified and fixed the core problems.
Version 5.2.1 is now available with the following fixes:
Fixed: Removed overly restrictive security policies that were causing compatibility issues
Fixed: Settings are now preserved when deactivating/updating the plugin
Fixed: CSP directives now work correctly (single quotes no longer escaped)
What changed:
- Based on stable v5.0.45 (the last version that worked well for everyone)
- Added only critical bug fixes without changing default behavior
- No new features that could cause compatibility issues
Please update to v5.2.1 – this version eliminates the problems reported in v5.1.3-5.1.6 while maintaining all security features.
If you experienced issues with v5.1.3-5.1.6, this update resolves them completely.
Thank you for helping improve the plugin!
-
This reply was modified 6 months, 1 week ago by
Andrea Ferro.
@unicorn03 Thank you! Unfortunately, it appears that after updating, the plugins retain the previous default value. I do see that the default value (HSTS_STANDARD_VALUE_CSP constant) is back to simply ‘upgrade-insecure-requests’. Maybe the logic is detecting this previous default value and seeing it as a custom config, so it won’t roll it back.
Previous value we’re seeing (from 5.1.3 – 5.1.6):
default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' data: https:; frame-src 'self' https:; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests
Hi @freshylance ,
Thanks for your feedback version 5.2.3 is the stable version like 5.0.45
Currently, after some testing and user feedback, the 5.2.3 update is needed to resolve the issue. If it doesn’t fix the bug in previous versions, try deleting and reinstalling the plugin.
Solution:
Go to Settings > Headers Security, make any change, Save (forces regeneration)
OR do a clean reinstall: Uninstall plugin > Reinstall > Works
Multiple users confirmed this resolves remaining issues.
Note: Backup custom settings before uninstalling if you have any.
@unicorn03 Thanks for your prompt fix on this issue. Your last response sounds like a solution we could easily do, but not all of your users will know to come here and learn what to do. Just a suggestion, but maybe you could run a check on that field and have it remove those slashes from previously saved values so that it will resolve itself instead. It’ll save you some time having to respond to other complaints and prevent further frustration from other users.
Hi @aristocles,
This update does just that: it takes the header and some fixes and automatically applies them with the update. Option two also applies the fixes with disable and re-enable. No need to delete or reinstall.
Thank you for your thread and feedback for all users.
New update 5.2.4 available
With version 5.2.4, I have definitively resolved various issues reported by users, improved compatibility, and optimized the management of security policies generated by the plugin.
To ensure that all changes are applied correctly, I recommend deactivating and reactivating the plugin after the update.
This step allows the system to rebuild the necessary files and fully apply the new settings.
Thank you for your support and for your reports, which have allowed us to improve the plugin.
