Title: Breaking update
Last modified: November 13, 2025

---

# Breaking update

 *  Resolved [freshylance](https://wordpress.org/support/users/freshylance/)
 * (@freshylance)
 * [6 months, 2 weeks ago](https://wordpress.org/support/topic/breaking-update/)
 * Recent updates to this plugin, traced back to 5.1.3, are breaking several sites
   we have this deployed on. Specifically, there is no defined “connect-src” directive,
   so all connect requests (XHR, fetch(), etc) are falling back to the default-src.
   This breaks all connect requests to off-site resources, many of which are legitimate.
   Examples of broken items are Google Analytics tags, Google Fonts, and more.
 * Error in console:
   Connecting to ‘URL_REMOVED’ violates the following Content 
   Security Policy directive: “default-src ‘self'”. Note that ‘connect-src’ was 
   not explicitly set, so ‘default-src’ is used as a fallback. The action has been
   blocked.Header being set:default-src ‘self’script-src ‘self’ ‘unsafe-inline’ ‘
   unsafe-eval’ https:style-src ‘self’ ‘unsafe-inline’ https:img-src ‘self’ data:
   https:font-src ‘self’ data: https:frame-src ‘self’ https:object-src ‘none’base-
   uri ‘self’form-action ‘self’upgrade-insecure-requests
    -  This topic was modified 6 months, 2 weeks ago by [freshylance](https://wordpress.org/support/users/freshylance/).

Viewing 7 replies - 1 through 7 (of 7 total)

 *  [Aristocles](https://wordpress.org/support/users/aristocles/)
 * (@aristocles)
 * [6 months, 2 weeks ago](https://wordpress.org/support/topic/breaking-update/#post-18718741)
 * Same here.
 * After updating the plugin today, my site’s login form stopped working because
   the Google reCAPTCHA field was always empty. Checking the browser console revealed
   multiple **Content Security Policy (CSP) violations** introduced by the plugin.
 * The update enforced an overly strict CSP that blocked external scripts, styles,
   and fonts — including essential sources for Google reCAPTCHA (`https://www.google.
   com` and `https://www.gstatic.com`), Google Fonts, and Font Awesome. As a result,
   the reCAPTCHA script never loaded, preventing the form from submitting.
 * Deactivating the plugin immediately resolved the issue, confirming that the new
   CSP rules were the cause. I will keep it deactivated until I here that there 
   has been a fix.
 *  Thread Starter [freshylance](https://wordpress.org/support/users/freshylance/)
 * (@freshylance)
 * [6 months, 2 weeks ago](https://wordpress.org/support/topic/breaking-update/#post-18718788)
 * Quick update: We also noticed these console errors, also related to missing CSP
   policies falling back to the strict default. It’s possible there’s more:
 * `Loading the script 'URL_REMOVED' violates the following Content Security Policy
   directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'scrip-
   src-elem' was not explicitly set, so 'style-src' is used as a fallback. The action
   has been blocked.`
 * `Loading the stylesheet 'URL_REMOVED' violates the following Content Security
   Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem'
   was not explicitly set, so 'style-src' is used as a fallback. The action has 
   been blocked.`
 *  Plugin Author [Andrea Ferro](https://wordpress.org/support/users/unicorn03/)
 * (@unicorn03)
 * [6 months, 2 weeks ago](https://wordpress.org/support/topic/breaking-update/#post-18719054)
 * hi [@freshylance](https://wordpress.org/support/users/freshylance/) [@aristocles](https://wordpress.org/support/users/aristocles/),
 * Thank you for your feedback and patience. After investigating the reported issues,
   I’ve identified and fixed the core problems.
 * **Version 5.2.1 is now available** with the following fixes:
 * **Fixed:** Removed overly restrictive security policies that were causing compatibility
   issues
   **Fixed:** Settings are now preserved when deactivating/updating the plugin**
   Fixed:** CSP directives now work correctly (single quotes no longer escaped)
 * **What changed:**
    - Based on stable v5.0.45 (the last version that worked well for everyone)
    - Added only critical bug fixes without changing default behavior
    - No new features that could cause compatibility issues
 * **Please update to v5.2.1** – this version eliminates the problems reported in
   v5.1.3-5.1.6 while maintaining all security features.
 * If you experienced issues with v5.1.3-5.1.6, this update resolves them completely.
 * Thank you for helping improve the plugin!
    -  This reply was modified 6 months, 2 weeks ago by [Andrea Ferro](https://wordpress.org/support/users/unicorn03/).
 *  Thread Starter [freshylance](https://wordpress.org/support/users/freshylance/)
 * (@freshylance)
 * [6 months, 2 weeks ago](https://wordpress.org/support/topic/breaking-update/#post-18719559)
 * [@unicorn03](https://wordpress.org/support/users/unicorn03/) Thank you! Unfortunately,
   it appears that after updating, the plugins retain the previous default value.
   I do see that the default value (HSTS_STANDARD_VALUE_CSP constant) is back to
   simply ‘upgrade-insecure-requests’. Maybe the logic is detecting this previous
   default value and seeing it as a custom config, so it won’t roll it back.
 * Previous value we’re seeing (from 5.1.3 – 5.1.6):
 *     ```wp-block-code
       default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' data: https:; frame-src 'self' https:; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests
       ```
   
 *  Plugin Author [Andrea Ferro](https://wordpress.org/support/users/unicorn03/)
 * (@unicorn03)
 * [6 months, 2 weeks ago](https://wordpress.org/support/topic/breaking-update/#post-18720222)
 * Hi [@freshylance](https://wordpress.org/support/users/freshylance/) ,
 * Thanks for your feedback version 5.2.3 is the stable version like 5.0.45
 * Currently, after some testing and user feedback, the 5.2.3 update is needed to
   resolve the issue. If it doesn’t fix the bug in previous versions, try deleting
   and reinstalling the plugin.
 * Solution:
 * Go to Settings > Headers Security, make any change, Save (forces regeneration)
   
   OR do a clean reinstall: Uninstall plugin > Reinstall > WorksMultiple users confirmed
   this resolves remaining issues.
 * Note: Backup custom settings before uninstalling if you have any.
 *  [Aristocles](https://wordpress.org/support/users/aristocles/)
 * (@aristocles)
 * [6 months, 2 weeks ago](https://wordpress.org/support/topic/breaking-update/#post-18720433)
 * [@unicorn03](https://wordpress.org/support/users/unicorn03/) Thanks for your 
   prompt fix on this issue. Your last response sounds like a solution we could 
   easily do, but not all of your users will know to come here and learn what to
   do. Just a suggestion, but maybe you could run a check on that field and have
   it remove those slashes from previously saved values so that it will resolve 
   itself instead. It’ll save you some time having to respond to other complaints
   and prevent further frustration from other users.
 *  Plugin Author [Andrea Ferro](https://wordpress.org/support/users/unicorn03/)
 * (@unicorn03)
 * [6 months, 1 week ago](https://wordpress.org/support/topic/breaking-update/#post-18722279)
 * Hi [@aristocles](https://wordpress.org/support/users/aristocles/),
 * This update does just that: it takes the header and some fixes and automatically
   applies them with the update. Option two also applies the fixes with disable 
   and re-enable. No need to delete or reinstall.
 * Thank you for your thread and feedback for all users.
 * **New update 5.2.4 available**
 * With version 5.2.4, I have definitively resolved various issues reported by users,
   improved compatibility, and optimized the management of security policies generated
   by the plugin.
 * To ensure that all changes are applied correctly, I recommend deactivating and
   reactivating the plugin after the update.
 * This step allows the system to rebuild the necessary files and fully apply the
   new settings.
 * Thank you for your support and for your reports, which have allowed us to improve
   the plugin.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Breaking update’ is closed to new replies.

 * ![](https://ps.w.org/headers-security-advanced-hsts-wp/assets/icon.svg?rev=3102785)
 * [Headers Security Advanced & HSTS WP](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/)
 * [Active Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/)

 * 7 replies
 * 3 participants
 * Last reply from: [Andrea Ferro](https://wordpress.org/support/users/unicorn03/)
 * Last activity: [6 months, 1 week ago](https://wordpress.org/support/topic/breaking-update/#post-18722279)
 * Status: resolved