Admin Settings
Last updated: August 19, 2025
EU Cookie Consent
In this section the EU Cookie consent notice can be turned on.
For all clients operating in the EU or processing in euros, set the cookie consent to “Force users to agree to cookie use before interacting with site”.
If the client would like to use an alternative privacy policy, terms of service or use of cookies url it can be set here.
For more information on EU Cookie Consent, reference this help page.
FareHarbor Server Cluster
This is a setting used very rarely.
If the site is using a demo Fareharbor dashboard, switch the serve cluster to demo to access the demo dashboard. Once the dashboard is on the production servers however this will no longer work.
Close.io Tab
Below is a screenshot of the Close.io tab found in Admin Settings. A Super Admin user will need to provide the lead ID, and paste it into the Close Lead ID field.

Internal Notes
WCSs now have the ability to store internal notes regarding any design (or other) decision made in building the site. The purpose of leaving internal notes is to ensure that any future page additions or edits by a WCS or LSS down the line will adhere to the design and organizational choices made by the original builder and/or the client.
When any internal notes are present, a dropdown displays at the top of every back end window. This can be expanded and collapsed to reveal and hide the internal notes, without leaving a page that is currently being edited. If there are new notes, each individual user will be notified that there are new internal notes the first time they log in. If someone logs in and sees the New Notes badge, it does not clear the New Notes notification badge for other users. This ensures that each person will be notified if there are internal notes they have not yet viewed.
Best Practice:
When leaving notes in this field they should be done with the goal of simplifying the job of making updates, adding pages, adding activities, and should also alert LSSs who work on the site going forward of any unusual or atypical characteristics of the site, so that the amount of back-and-forth it takes to correctly solve tickets is kept to a minimum. Here are some examples of what may need to be included in Internal Notes:
- Link to existing client-specific FH Sites help pages (i.e. All In Adventures)
- If anything custom has been done (anything done through coding that is not normal)
- If a site is linked to more than 1 dashboard
- Special design requirements the client has made in the past
- If a client’s site is in Dormant Mode
Content Security Policy (CSP) Help Guide
What is Content Security Policy?
Content Security Policy (CSP) is a powerful security feature that helps protect websites from malicious attacks like cross-site scripting (XSS) and data injection. Think of it as a “whitelist” that tells the browser which sources are allowed to load content on your website.
CSP acts like a security guard for your website, only allowing trusted resources to load and blocking anything suspicious.
Why Use CSP?
- Prevents Malicious Script Injection: Stops hackers from injecting harmful code
- Blocks Unauthorized Resource Loading:Only allows content from trusted sources
- Enhances Security Compliance: Meets requirements for regulated industries (healthcare, finance, etc.)
- Protects Client Data: Adds an extra layer of protection for sensitive information
- Improves Client Trust: Shows you take security seriously
Where to Find CSP Settings
- Log into WordPress Admin
- Navigate to Admin Settings (in the left sidebar)

- Click on the Security tab
- Look for the CSP Header field

Step-by-Step CSP Guide
IMPORTANT: Always Start in Report Mode
Never enable CSP in enforcement mode without testing first! CSP can accidentally block legitimate website features if not configured properly.
Step 1: Enable Report-Only Mode
- In the CSP Header field, add your policy
- Make sure “Report-Only Mode” is enabled (this is the default)
- Save your changes

Step 2: Use the Default Template
A secure default template is provided that works with most common services:
default-src 'self' *.gstatic.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com google-analytics.com *.googletagmanager.com googletagmanager.com *.instagram.com *.cloudflare.com *.fareharbor.com fareharbor.com *.google.com *.youtube.com gstatic.com *.gstatic.com *.googleapis.com googleapis.com;
style-src 'self' 'unsafe-inline' *.googleapis.com *.gstatic.com;
img-src 'self' data:;
connect-src 'self' *.google-analytics.com *.googletagmanager.com *.instagram.com;
frame-src 'self' *.instagram.com *.facebook.com fareharbor.com *.fareharbor.com *.youtube.com youtube.com google.com *.google.com fareharboractivities.com;
This template allows:
- ✅ Self-hosted content
- ✅ Google services (Analytics, Tag Manager, Fonts, Maps)
- ✅ Social media embeds (Instagram, Facebook, YouTube)
- ✅ FareHarbor booking widgets
- ✅ Common CDNs and APIs
Step 3: Test Thoroughly
Testing is the most critical step! Visit every important page on the website and test all functionality.
Functionality Checklist:
- Homepage loads completely
- Contact forms submit successfully
- Booking calendar appears and functions
- Social media embeds display (Instagram, Facebook, YouTube)
- Google Analytics tracking works
- Any custom scripts or widgets function
- Mobile version works properly
- All navigation and menus work
- Image galleries and slideshows function
- Any third-party integrations work (chat widgets, etc.)
Check Browser Console
This is crucial! While testing:
- Open browser developer tools (press F12)
- Go to the Console tab
- Look for red error messages mentioning “CSP” or “Content Security Policy”
- Note any violations – these tell you what needs to be added to your policy
Example CSP Violation:
Content Security Policy: The page’s settings blocked the loading of a resource at https://example-widget.com/script.js because it violates the following directive: “script-src ‘self’ …
Step 4: Fix Any Violations
If you see CSP violations in the console:
- Identify the blocked resource (the URL in the error message)
- Add the domain to the appropriate directive in your CSP policy
- Save and test again
Common Additions
For a chat widget from widget.com:
script-src 'self' 'unsafe-inline' ... widget.com;
For analytics from analytics-service.com:
connect-src 'self' ... analytics-service.com;
Step 5: Switch to Enforcement Mode
Only after all testing is complete and no violations remain:
- Disable “Report-Only Mode”
- Save your changes
- Test one final time to ensure everything still works
Common CSP Directives Explained
| Directive | What It Controls | Example |
|---|---|---|
default-src |
Default policy for all resource types | default-src 'self' |
script-src |
JavaScript files and inline scripts | script-src 'self' google.com |
style-src |
CSS stylesheets | style-src 'self' 'unsafe-inline' |
img-src |
Images | img-src 'self' data: *.cloudfront.net |
connect-src |
AJAX, WebSocket, fetch requests | connect-src 'self' api.example.com |
frame-src |
Embedded frames/iframes | frame-src youtube.com |
Common CSP Sources
| Source | Meaning |
|---|---|
'self' |
Same domain as the website |
'unsafe-inline' |
Allows inline scripts/styles (use carefully) |
'unsafe-eval' |
Allows eval() in JavaScript (use carefully) |
data: |
Data URLs (for base64 images, etc.) |
*.example.com |
Any subdomain of example.com |
https: |
Any HTTPS URL |
Troubleshooting Common Issues
Issue: Contact Forms Stop Working
Solution: Check if the form uses a third-party service. Add the service domain to script-src and connect-src.
Issue: Social Media Embeds Don’t Load
Solution: Add the social media domains to frame-src. Common ones:
- Instagram: `*.instagram.com`
- Facebook: `*.facebook.com`
- YouTube: `*.youtube.com`
Issue: Google Analytics Not Tracking
Solution: Ensure these are in your policy:
script-src ... *.google-analytics.com *.googletagmanager.com;
connect-src ... *.google-analytics.com *.googletagmanager.com;
Issue: Custom Fonts Not Loading
Solution: Add font sources to font-src:
font-src 'self' fonts.googleapis.com fonts.gstatic.com;
Issue: Images Not Displaying
Solution: Add image sources to img-src:
img-src 'self' data: *.amazonaws.com *.cloudfront.net;
Best Practices
✅ Do:
- Always test in report-only mode first
- Check the browser console for violations
- Test on multiple devices and browsers
- Document any custom additions you make
- Keep policies as restrictive as possible while maintaining functionality
- Regularly review and update policies
❌ Don’t:
- Enable enforcement mode without thorough testing
- Use `’unsafe-inline’` and `’unsafe-eval’` unless necessary
- Allow `*` (all domains) – be specific
- Ignore console violations
- Set up CSP on a live site without testing on staging first
When to Use CSP
Guidelines for When to Use CSP
Great Candidates
- Healthcare websites (HIPAA compliance)
- Financial services sites
- E-commerce platforms
- High-traffic websites
- Sites handling sensitive data
- Clients specifically requesting enhanced security
Consider Carefully:
- Sites with a lot of third-party integrations
- Websites with extensive custom code
- Sites where you don’t control all the plugins/widgets
When to Ask for Help:
If you encounter issues, please check each step below:
- Check the console first – it usually tells you exactly what’s blocked
- Start with the default template and add only what you need
- Test incrementally – add one service at a time
- Document your changes so you can revert if needed
- Ask for help if you’re unsure about a violation
Security Note
CSP is a powerful security tool, but it requires careful implementation. When in doubt:
- Start conservative and add permissions as needed
- Always test thoroughly
- Keep detailed notes of what you’ve added and why
- Regular review policies to ensure they’re still appropriate
Remember: A broken CSP that blocks legitimate functionality is worse than no CSP at all. Take your time and test thoroughly!