Q. My site stopped displaying correctly after I configured CSP (Content Security Policy)
A. Your CSP settings are too strict, causing legitimate scripts and stylesheets to be blocked.
Emergency Fix
First, restore your site's display.
- Go to SentinelSecurity → Security Header Settings (the admin panel is not affected by CSP)
- Either disable CSP or switch to Report-Only (Learning) mode
- Click Save
- Verify that the site's front end is displaying correctly
/wp-content/plugins/sentinel-security folder to disable the plugin.
Proper CSP Deployment Steps
It is critical to deploy CSP gradually.
Step 1: Smart Scan
Use the Smart Scan feature to automatically scan the origins of resources used on your site (scripts, stylesheets, images, fonts, etc.). This will generate a list of domains that need to be allowed.
Step 2: Learn with Report-Only Mode
Set the CSP mode to Report-Only (Learning) and run it for 1–2 weeks. In this mode, resources are not actually blocked — only policy violations are recorded as reports.
Step 3: Review Violation Logs
Check the CSP Violation Log and add legitimate resources (your own site's scripts, Google Analytics, CDN fonts, etc.) to the policy.
Step 4: Switch to Enforce Mode
Once violations have been sufficiently reduced, switch to Enforce mode.
Common Real-World Case (.htaccess Production Mode)
Symptom
- You are using
.htaccessProduction mode - Learning mode was stopped
- Required domains from collected CSP reports were not reflected in the final policy
- As a result, required JS/CSS/API requests are blocked by
Content-Security-Policy
Why this happens
During learning, SentinelSecurity uses Content-Security-Policy-Report-Only to collect violations.
After learning ends, enforcement moves to normal Content-Security-Policy. If the collected logs are not applied to your allowlist, necessary resources will be blocked.
Fast Recovery Steps
- In Security Header Settings, switch back to Learning Mode temporarily
- Reproduce real user flows (home, contact, member area, checkout, etc.) to collect violations
- Review the CSP Violation Log and add required domains to
script-src,style-src,connect-src, and others - Save settings to regenerate
.htaccess - Switch back to Enforce and confirm in browser devtools that blocking is resolved
Notes
- If
.htaccessis not writable, changes cannot be applied correctly - External services (CDN, analytics tags, API endpoints) are easy to miss unless you test actual pages
Common Causes
| Blocked Resource | Fix |
|---|---|
| Google Fonts | Add https://fonts.googleapis.com and https://fonts.gstatic.com to font-src |
| Google Analytics | Add https://www.googletagmanager.com to script-src and connect-src |
| Inline scripts | Add 'unsafe-inline' to script-src (not recommended, but necessary in some cases) |
| CDN stylesheets | Add the CDN domain to style-src |