Free WordPress Content Security Policy plugin

Secure your WordPress site with real CSP headers.

aCSP Builder 1.5.1 lets you build, test, and enforce Content Security Policy headers directly from the WordPress admin — nonce and hash directives, preset frameworks, violation reporting, and administrative controls without a paid license.

Download current version View repository
100%
Free
1.5.1
Current
3
Presets

Full CSP lifecycle from one WordPress admin page

Nonce injection Hash allowlists Preset frameworks Custom policy Report-Only mode Violation reports CSP meta tag Upgrade insecure Compatibility mode
Features

Build CSP that works with real WordPress sites.

Designed for WordPress administrators who need granular CSP control without breaking themes, plugins, or third-party integrations.

01

Nonce injection modes

Choose between Compatibility mode for broad script rewriting and WordPress Hooks mode for stricter enqueued-script and style handling. Nonces are injected automatically into inline scripts and registered enqueues.

02

Hash allowlist management

Allowlist SHA-256, SHA-384, and SHA-512 values for scripts and styles. Hashes are placed on standard directives by default and on attribute directives when 'unsafe-hashes' is present.

03

Built-in preset frameworks

Start from curated presets that balance security and compatibility for common WordPress setups — or build a fully custom policy from scratch.

04

Report-Only and Enforce modes

Test new policies in Report-Only mode before enforcing them. Violations are collected without blocking content, giving you data to refine your policy.

05

Built-in violation reporting

Collect, browse, and export CSP violation reports from a dedicated admin page. Payload, rate, retention, and query-index controls protect the public endpoint.

06

Custom endpoint testing

Test third-party report endpoints with WordPress safe HTTP requests and TLS verification before switching away from the built-in collector.

07

CSP meta tag support

Optionally emit CSP as an HTML meta tag for page-level policies. Report-Only mode skips meta output to avoid accidental enforcement.

08

Upgrade insecure requests

Enable the upgrade-insecure-requests directive to instruct browsers to rewrite HTTP URLs to HTTPS before loading resources.

Presets

Start from a solid foundation.

Curated presets balance security with real-world WordPress compatibility. Each preset is a complete starting policy you can customize.

Strict

Restrictive policy with nonce-only scripts, no inline styles, and minimal external origins. Best for sites with fully controlled assets.

Standard

Balanced policy with nonce for scripts, hashes for inline styles, and allowlisted CDN origins. Works with most WordPress setups.

Permissive

Relaxed policy that allows inline scripts and styles with nonces, broad origins, and fallback directives. Useful during migration or testing.

Custom

Start from a blank policy and build every directive manually. Full control over every CSP value, nonce mode, and hash setting.

Security

Hardened at every layer.

CSP values, endpoints, and storage are validated, sanitized, and permission-checked before any action is taken.

Value sanitization

Embedded directive delimiters cannot create hidden directives. Hash values are validated as proper SHA-256, SHA-384, or SHA-512 strings.

Endpoint hardening

Custom endpoint tests use WordPress safe HTTP with TLS verification. Built-in endpoint has payload, rate, retention, and row-count controls.

Capability checks

All preset and reset mutation handlers require manage_options capability. Ajax handlers verify nonces and user permissions.

SSRF protection

Remote endpoint testing validates URLs and uses WordPress HTTP API with TLS, preventing server-side request forgery vectors.

Setup

Go from install to enforced policy.

  1. Install and activate

    Upload to WordPress plugins folder, activate aCSP Builder, and open the new CSP menu item in the WordPress admin.

  2. Choose a preset or build custom

    Select a preset from the presets page or open the custom builder to define every directive manually.

  3. Configure nonce mode and hashes

    Select Compatibility or Hooks mode for nonce injection. Add hash allowlists for inline scripts and styles that cannot use nonces.

  4. Test with Report-Only

    Enable Report-Only mode to collect violations without blocking resources. Review reports to identify needed policy adjustments.

  5. Switch to Enforce

    When your policy passes testing, switch to Enforce mode. Browsers will apply CSP headers and block policy violations.

FAQ

Common questions about Content Security Policy.

What is Content Security Policy?
CSP is a browser security standard that controls which resources (scripts, styles, images, etc.) a page can load. It prevents cross-site scripting and data injection attacks.
Will CSP break my site?
Use Report-Only mode initially. It collects violations without blocking resources. Review the reports, adjust your policy, then switch to Enforce when ready.
What are nonces and hashes?
Nonces are one-time tokens added to inline scripts that allow them to execute. Hashes are cryptographic fingerprints of inline content — scripts or styles whose hash matches the allowlist are permitted.
What preset should I start with?
Start with the Standard preset. It balances security with WordPress compatibility. Review violation reports and adjust directives as needed for your specific plugins and theme.
Does it work with page builders?
Yes. Compatibility nonce mode rewrites inline scripts from page builders and plugins. Hash allowlists can cover inline styles. If issues arise, switch to Report-Only and adjust.
How are violation reports stored?
Reports are stored in a dedicated database table with indexed lookups. You can set retention limits and row-count pruning to control storage growth.

Take control of your CSP.

Install aCSP Builder from GitHub and build a Content Security Policy that protects your WordPress site without breaking it.

Download current version Open GitHub repository