My client’s IT Dept scanned their CSP (Content Security Policy) of their site and required several changes to protect from potential attacks. Adding any web rules for script-src to the WPEngine instance prevents not only LayerSlider from working, but worse, it prevents Cornerstone from being able to open to edit any pages. It also prevents the WPML multi-language function from working.
Are there any suggested security policy web rules to use to allow these scripts to run while protecting from unwanted attacks?
These rules work to scan clean, but don’t allow editing or LayerSlider:
upgrade-insecure-requests; script-src ‘self’ ‘strict-dynamic’ https://.com; object-src ‘none’; base-uri ‘none’; require-trusted-types-for ‘script’; report-uri https://.com;