Progressive CSP Implementation Strategy
Progressive CSP Implementation Strategy
Implementing CSP on existing WordPress sites requires a gradual approach to avoid breaking functionality.
class WP_CSP_Progressive_Implementation {
private $implementation_stage;
public function __construct() {
$this->implementation_stage = get_option('csp_implementation_stage', 'discovery');
add_action('wp_csp_build_policy', [$this, 'adjust_policy_by_stage']);
}
public function adjust_policy_by_stage($directives) {
switch ($this->implementation_stage) {
case 'discovery':
// Very permissive policy for discovering resources
$directives['script-src'][] = "'unsafe-inline'";
$directives['script-src'][] = "'unsafe-eval'";
$directives['style-src'][] = "'unsafe-inline'";
$directives['report-only'] = true;
break;
case 'transition':
// Start tightening but keep critical unsafe directives
$directives['script-src'][] = "'unsafe-inline'";
$directives['style-src'][] = "'unsafe-inline'";
$directives['report-only'] = true;
break;
case 'hardening':
// Remove unsafe-inline where possible, use nonces
// Keep report-only for testing
$directives['report-only'] = true;
break;
case 'production':
// Full enforcement with minimal unsafe directives
$directives['report-only'] = false;
break;
}
return $directives;
}
public function advance_stage() {
$stages = ['discovery', 'transition', 'hardening', 'production'];
$current_index = array_search($this->implementation_stage, $stages);
if ($current_index < count($stages) - 1) {
$this->implementation_stage = $stages[$current_index + 1];
update_option('csp_implementation_stage', $this->implementation_stage);
}
}
}