Content-Security-Policy (CSP) header validation

Chest_Heart_Stroke_S · March 19, 2020, 10:15am

Hi,
I am trying to secure an A+ rating for a wordpress installation running gravity forms.
can only get a maximum of an A rating as the Content-Security-Policy requires ‘unsafe-inline’ (removing it disables the forms) ‘unsafe-eval’ (removing it disables entries export) to display and run gravity forms.

Can anyone advise what CSP settings allow GF to operate properly?

header("Content-Security-Policy: default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https: ; ");

Any help welcome.
Jason

chrishajer · March 19, 2020, 2:11pm

I recommend opening a support ticket for these questions, but I will leave this open here as well in case anyone has a recommendation.

https://www.gravityforms.com/open-support-ticket/

Topic		Replies	Views
Inline javascript event handles interfere with CSP Get Help custom , javascript , csp , unsafe-inline	7	557	August 8, 2023
Intrusions Attempts Via Gravity Forms General Discussion security	2	323	November 2, 2022
Content Security Policy header blocks AJAX confirmation Get Help csp , old-wp	1	49	April 19, 2024
Gravity Forms 2.4 Update Causes Error Upon Submission - WPENGINE SSLed Websites Get Help bug , managewp	14	5919	January 4, 2022
cleanTalk Secutity flags GravityForm as Malware General Discussion security	2	830	January 5, 2022

Content-Security-Policy (CSP) header validation

Related Topics