How to fix missing content security policy on WooCommerce

Steps for WooCommerce

1. Install the free WordPress plugin 'Headers Security Advanced & HSTS WP' or 'HTTP Headers' (by RaMMicHaeL) from the WordPress plugin repository: WP Admin → Plugins → Add New → search plugin name → Install & Activate.
2. Alternatively, add the header directly in your theme's `functions.php` (or a site-specific plugin): `add_action('send_headers', function(){ header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' [your-approved-domains]; object-src 'none'"); });`
3. Or add it to your `.htaccess` (Apache) file in the public root: `Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"`
4. For Nginx servers, add `add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'";` inside the relevant `server {}` block in your Nginx config file.
5. Use the plugin's built-in violation reporting or a free service like report-uri.com to monitor for broken resources before enforcing.

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; object-src 'none'; frame-ancestors 'none'; base-uri 'self';

What is missing content security policy?

A Content Security Policy (CSP) is an HTTP response header your web server sends to a visitor's browser. It acts like a whitelist, telling the browser exactly which domains and sources are allowed to load scripts, stylesheets, images, fonts, and other content on your site. If a piece of code tries to load from a source not on your list — for example, a malicious script injected by an attacker — the browser simply refuses to run it. Without a CSP header, the browser has no such instructions and will run whatever code it finds on the page.

Without a CSP, your store is significantly more vulnerable to Cross-Site Scripting (XSS) and data-injection attacks — the #3 risk in the OWASP Top Ten. Attackers who find even a small vulnerability in a plugin, theme, or third-party widget can inject malicious scripts that steal customer payment card details, session cookies, or personal data directly from the browser (a technique known as "formjacking" or "Magecart"). A successful attack can result in PCI-DSS compliance failures, card-brand fines, regulatory penalties under GDPR or CCPA, and severe damage to customer trust. Search engines also consider site security as a ranking signal, and a compromised site can be blocklisted by Google, wiping out organic traffic overnight.

See the complete Missing content security policy guide for every platform and the full background.