Hi, I am trying to create a strict Content Security Policy (CSP) in my Nginx configuration, and I want to be sure that any outside sources (possibly connect-src) that the Envato Market Wordpress plugin uses are included in my policy.
In my Nginx virtual hosts server block, I am starting off with the following strict Content Security Policy (Header):
add_header Content-Security-Policy "default-src 'self';
Is there anything that the Envato Market Wordpress Plugin uses that isn’t included in ‘self’, that would need to be included in a strict content security policy header?
If so, could you please tell me what else I need to include in my Nginx header (specifying img-src
rules, style-src
rules, script-src
rules, connect-src
rules, and any other etc-src
etc-src
rules to keep a strict CSP while still allowing the plugin to be fully functional? Thanks so much for any help!