Title: Insecure Script-src and Style-src
Last modified: March 5, 2018

---

# Insecure Script-src and Style-src

 *  [rebornhairppp](https://wordpress.org/support/users/rebornhairppp/)
 * (@rebornhairppp)
 * [8 years, 2 months ago](https://wordpress.org/support/topic/insecure-script-src-and-style-src/)
 * Hi Dylan,
 * For script-src, I am using an ‘unsafe-eval’ ‘unsafe-inline’ value
    For style-
   src, I am using only an ‘unsafe-inline’ value
 * However, according to hardenize.com, these parameters shouldn’t be used because
   it renables insecure behavior that CSP disables by default. Here’s a more in-
   depth explanation as to why this website doesn’t recommended these values:
 * **Script-src, unsafe-eval**: By default, CSP doesn’t allow dynamic script execution
   via eval and friends, but this policy overrides that behavior by specifyin ‘unsafe-
   eval’ in the ‘script-src’ directive. As a result, XSS defenses provided by CSP
   are significantly weakened.
 * **Script-src, unsafe-inline**: By default, CSP doesn’t allow inline script execution,
   but this policy overrides that behavior by specifying ‘unsafe-inline’ in the ‘
   script-src’ directive. As a result, all XSS defenses provided by CSP are significantly
   weakened.
 * **Style-src, unsafe-line**: This policy allows inline styles. Although they are
   not as bad as inline scripts in terms of security, an injection bug in script
   area would allow the attacker to modify page appearance.
 * Do you have any sound recommendations to address these security concerns? If 
   I delete these values, I end up getting many errors.
 * Thanks for the help like always and I apologize for taking so much of your time!
 * All my best,
 * Joe

Viewing 2 replies - 1 through 2 (of 2 total)

 *  [xarain](https://wordpress.org/support/users/xarain/)
 * (@xarain)
 * [7 years, 9 months ago](https://wordpress.org/support/topic/insecure-script-src-and-style-src/#post-10631001)
 * i dont think there is any ‘quick’ way around this given that word press core 
   requires the use of inline scripts to work.
    Instead, you need to use the hash-
   value and proceed to white-list each of them.
 *  [Heiko Mitschke](https://wordpress.org/support/users/antares7/)
 * (@antares7)
 * [7 years, 9 months ago](https://wordpress.org/support/topic/insecure-script-src-and-style-src/#post-10631246)
 * Hello!
 * There is a way to secure your website, which this plugin supports as well. You
   can set “nonces” (CSP v3) and remove unsafe attributes. This will set a nonce
   to each script and style insertion and mark them as ‘safe’.
 * Bet regards,
    Heiko

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Insecure Script-src and Style-src’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/wp-content-security-policy_ffffff.
   svg)
 * [WP Content Security Plugin](https://wordpress.org/plugins/wp-content-security-policy/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-content-security-policy/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-content-security-policy/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-content-security-policy/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-content-security-policy/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-content-security-policy/reviews/)

## Tags

 * [script src](https://wordpress.org/support/topic-tag/script-src/)
 * [unsafe-eval](https://wordpress.org/support/topic-tag/unsafe-eval/)

 * 2 replies
 * 3 participants
 * Last reply from: [Heiko Mitschke](https://wordpress.org/support/users/antares7/)
 * Last activity: [7 years, 9 months ago](https://wordpress.org/support/topic/insecure-script-src-and-style-src/#post-10631246)
 * Status: not resolved