Security Server response header - Content-Security-Policy

  • Thread starter Underground Forum
  • Start date

What is Content Security Policy

The HTTP Content Security Policy (CSP) header allows website administrators to control the content sources which will be processed by the user's web browser.
By default, the header blocks downloading content from all those sources that are not listed in the white list.
This technology helps to protect web site against XSS attacks (Cross-site_scripting) and other malicious code.

Basic directives​

default-src - default sources;​
style-src - CSS styles;​
font-src - fonts;​
img-src - images;​
media-src - audio and video content;​
frame-src - frames (page within a page);​
script-src - scripts (Java Script, PHP);​
object-src - web plugins;​

Using CSP in nginx.conf (NGINX):
add_header Content-Security-Policy "default-src 'self' *";
default-src - default value.
self - site domain name.
In this example, we only allow content to be downloaded from a trusted domain and we don't allow it to be downloaded from any other source.[/INDENT]

Using CSP in httpd.conf (Apache):
Header set Content-Security-Policy "default-src 'self';"
Allows downloading content only from the current domain where the site is located.

Using Referrer-Policy in .htaccess:
<ifModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'"