Title: Request for Additional Custom Header sections from Security Header Last modified: February 8, 2026 --- # Request for Additional Custom Header sections from Security Header * Resolved [Alex Sung](https://wordpress.org/support/users/zerocan/) * (@zerocan) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/) * Hi Support, I would appreciate it if you could provide 10x additional more custom header sections from the security header. Thank you. * ![](https://i0.wp.com/i.imghippo.com/files/LcD8578BzU.png?ssl=1) * Best Regards, Alex Sung * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Frequest-for-additional-custom-header-sections-from-security-header%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 11 replies - 1 through 11 (of 11 total) * Plugin Author [IniLerm](https://wordpress.org/support/users/inilerm/) * (@inilerm) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18814059) * Hi [@zerocan](https://wordpress.org/support/users/zerocan/), * Thank you for the suggestion! * Based on your screenshot, I see you are trying to add multiple CSP directives( like script-src, style-src, etc.) as separate Custom Headers. * **The Solution:** You actually don’t need 10 separate fields for this. The Content- Security-Policy standard is designed to be sent as a **single header** containing all your rules separated by semicolons (;). * **How to do it correctly:** Instead of splitting them, combine your rules into one long string and put it in the main **“Content Security Policy”** field (if available) or in **one single** “Custom Header” field. * **Example:** - **Header Name:** Content-Security-Policy - **Header Value:** default-src ‘self’; script-src ‘self’ [https://example.com](https://example.com); style-src ‘self’ ‘unsafe-inline’; img-src ‘self’ data:; * This is the standard way browsers expect to receive the policy. Putting them all in one field is cleaner, more efficient, and follows the HTTP specification. * I hope this helps you configure it more easily! * Best regards, * Advanced IP Blocker Team * Plugin Author [IniLerm](https://wordpress.org/support/users/inilerm/) * (@inilerm) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18814064) * ![](https://i0.wp.com/advaipbl.com/wp-content/uploads/2026/02/AdvaIPBL_CSP.png? ssl=1) * CSP (Content-Security-Policy) Example * Plugin Author [IniLerm](https://wordpress.org/support/users/inilerm/) * (@inilerm) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18814068) * **A Starter Example (Template):** Here is a common policy that covers Google Analytics, Fonts, and WordPress basics. You can copy this as a starting point, but remember to **adapt it to your specific plugins/services**: * ```wp-block-code default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://stats.wp.com https://*.gravatar.com https://*.google.com https://*.gstatic.com https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https: *.gravatar.com; font-src 'self' https://fonts.gstatic.com data:; frame-src 'self' https://*.google.com https://*.bing.com; connect-src 'self' https://*.google.com https://public-api.wordpress.com; worker-src 'self' blob:; ``` * **How to find what is missing (The Console Trick):** 1. Apply the policy above. 2. Open your website in Chrome/Edge. 3. Right-click anywhere and select **Inspect**. 4. Go to the **Console** tab. 5. Browse your site. If something is blocked (like a broken image or script), you will see a red error message: _“Refused to load… because it violates the Content Security Policy directive…”_ 6. Look at the domain in the error and add it to your policy string in the correct section (e.g., add https://facebook.com to script-src if a Facebook widget is blocked). * I hope this helps you build a strong policy without needing extra fields! * Thread Starter [Alex Sung](https://wordpress.org/support/users/zerocan/) * (@zerocan) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18814090) * Hi Support, Thanks for your sharing. In fact, based on the **CSP level 2 & 3** there’s a lot of more customization I can add and tailor to fit according to the attacks vectors or secure the web application.You can have a look at the reference links I shared below. I believe you can add ten times more custom header sections without it causing too many issues.Right now, I’m dealing with a limitation in the custom header sections for setting up the CSP policy.I can’t wait for you to take my suggestion onboard and enhance that additional feature. **Reference Links**[https://content-security-policy.com/](https://content-security-policy.com/) [https://www.geeksforgeeks.org/javascript/content-security-policy-csp/](https://www.geeksforgeeks.org/javascript/content-security-policy-csp/) [https://developer.chrome.com/docs/privacy-security/csp](https://developer.chrome.com/docs/privacy-security/csp) [https://www.w3.org/TR/CSP3/](https://www.w3.org/TR/CSP3/)Best Regards,Alex Sung * Plugin Author [IniLerm](https://wordpress.org/support/users/inilerm/) * (@inilerm) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18814177) * Hi Alex, * Thank you for the detailed references. I understand you want granular control over CSP Level 2/3 directives. * **Technical Clarification:** I believe there is a misunderstanding about how the Content-Security-Policy header works in the HTTP standard. * You **do not need multiple header fields** to implement complex policies. The standard requires **all directives** (script-src, style-src, frame-ancestors, report-uri, etc.) to be included in a **single header string**, separated by semicolons (;). * **Example of a complex Level 3 Policy in one field:** default-src ‘none’; script- src ‘self’ ‘nonce-xyz’; style-src ‘self’ [https://example.com](https://example.com); img-src *; media-src media1.com media2.com; frame-ancestors ‘none’; report-uri/ csp-report; * **You can already do this right now:** In our plugin, simply use the main **“ Content-Security-Policy”** text area (or one Custom Header field). You can paste a policy string of any length and complexity there. It supports all Level 2 and Level 3 directives perfectly. * **Why we won’t add 10 separate fields:** Sending multiple separate Content-Security- Policy headers (one per field) causes browsers to enforce the **most restrictive intersection** of all of them, which often breaks sites unintentionally and is not the standard way to deploy a policy. * **Recommendation:** Use a tool like [Report URI’s Wizard](https://report-uri.com/home/generate) to build your complex policy string, and then paste that **single string** into the plugin’s CSP field. That will give you the full power you are looking for. * Best regards, * Advanced IP Blocker Team * Thread Starter [Alex Sung](https://wordpress.org/support/users/zerocan/) * (@zerocan) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18814239) * Thank you so much for your detailed clarification. **Scenario 1**In that case, it would be best to remove the predetermined CSP sections (highlighted in the image below) and instead label them as a custom header. In this way, users can decide how they want to fill it out based on their specific needs. It might also be helpful if you can help to create a guide on how users can manage their CSP.** Scenario 2**We shall also consider avoid generating lengthy fields mainly because users can do their own testing. If we make it too long, it could be hard to troubleshoot for cases that it may just crash the whole site. Plus, it’s easier for them to preview and make quick adjustments without having to read through a complicated and lengthy field.Even if user have a lot of custom header sections, you might want to think about rewriting your code to combine all those sections into one single header. * ![](https://i0.wp.com/i.imghippo.com/files/BSZh7819qTA.png?ssl=1) * Best Regards, Alex Sung * Plugin Author [IniLerm](https://wordpress.org/support/users/inilerm/) * (@inilerm) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18814315) * Hi Alex, * Thank you for the detailed suggestions. I see what you mean about breaking down the policy for readability. * **Regarding Scenario 1 (UI Labels):** The plugin already provides generic “Custom Header” fields below the main ones. If you prefer not to use the dedicated CSP text area, you can simply leave it empty and use the “Custom Header” fields to define Content-Security-Policy or any other header manually. * **Regarding Scenario 2 (Merging Fields):** While merging multiple fields into one header programmatically is possible, it adds complexity and potential for errors (e.g., if a user wants to add a different type of header).Currently, the industry standard for managing CSP (in plugins, Cloudflare, or server configs) is a single block of text because the policy is evaluated as a whole unit. * **CSP Guide:** Creating a universal guide for CSP is extremely difficult because every website uses different plugins, themes, and external services (Google, Facebook, Stripe, etc.). A policy that works for Site A will break Site B.This is why we mark CSP as an **“Advanced”** feature. It requires the site administrator to audit their specific site’s resources using the browser console. * For now, we recommend using online tools like [Report URI](https://report-uri.com/home/generate) to build/validate your string, and then pasting the final result into our plugin. * We will keep your UX suggestion in mind for a future redesign of the headers section! * Best regards, * Advanced IP Blocker Team * Plugin Author [IniLerm](https://wordpress.org/support/users/inilerm/) * (@inilerm) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18814319) * **P.S.** I tried to visit your site (swha.online) to check your console errors and give you a specific CSP example, but the “Right Click / Inspect Element” protection script you have installed prevented me from opening the Developer Tools.If you need further help debugging your policy, you might need to temporarily disable that protection so we (or you) can see the browser console errors that tell you exactly what is being blocked. * Thread Starter [Alex Sung](https://wordpress.org/support/users/zerocan/) * (@zerocan) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18814348) * Lately my site has been hit by waves of difference types of cyberattacks vectors. As a result, I’ve ramped up the security on the CDN, WordPress, and web hosting. For the most part, I’ll stick to your recommendations. I really appreciate your time and effort. Additionally, I have another feature request on the massive blacklist import (both manually and automatically) in which I’m not sure if you’d be interested in. If so, i may just start another thread. * ![](https://i0.wp.com/i.imghippo.com/files/NWTn8304x.png?ssl=1) * Best Regards, Alex Sung * Plugin Author [IniLerm](https://wordpress.org/support/users/inilerm/) * (@inilerm) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18814453) * Hi Alex, * Thank you for understanding! * **About your Feature Request:** Please do start a **new thread** for that topic. It helps other users find answers and keeps the discussion focused. * **Quick preview for that new thread:** You can actually already export and import your Blocked IPs list! 1. Go to **Security > Settings > Import / Export**. 2. Choose **“Export Full Backup”**. 3. This JSON file includes your entire Blocked IPs database table. You can import this file into another site running the plugin to transfer your blocklist instantly. * If you are asking about importing _external_ text lists (like from GitHub), that is a different story, and we can discuss the pros/cons in the new thread (spoiler: manual lists often cause false positives!). * See you in the new thread! * Best regards, * Advanced IP Blocker Team * Plugin Author [IniLerm](https://wordpress.org/support/users/inilerm/) * (@inilerm) * [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18816369) * Hi [@zerocan](https://wordpress.org/support/users/zerocan/) , * I’m marking this thread as resolved. Feel free to open a new topic if you have further questions. * Thanks. Viewing 11 replies - 1 through 11 (of 11 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Frequest-for-additional-custom-header-sections-from-security-header%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/advanced-ip-blocker/assets/icon-256x256.png?rev=3320247) * [Advanced IP Blocker](https://wordpress.org/plugins/advanced-ip-blocker/) * [Frequently Asked Questions](https://wordpress.org/plugins/advanced-ip-blocker/#faq) * [Support Threads](https://wordpress.org/support/plugin/advanced-ip-blocker/) * [Active Topics](https://wordpress.org/support/plugin/advanced-ip-blocker/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/advanced-ip-blocker/unresolved/) * [Reviews](https://wordpress.org/support/plugin/advanced-ip-blocker/reviews/) * 15 replies * 2 participants * Last reply from: [IniLerm](https://wordpress.org/support/users/inilerm/) * Last activity: [4 months ago](https://wordpress.org/support/topic/request-for-additional-custom-header-sections-from-security-header/#post-18816369) * Status: resolved