What is Content Security Policy
The HTTP Content Security Policy (CSP) header allows website administrators to control the content sources which will be processed by the user's web browser.By default, the header blocks downloading content from all those sources that are not listed in the white list.
This technology helps to protect web site against XSS attacks (Cross-site_scripting) and other malicious code.
Basic directives
default-src - default sources;
style-src - CSS styles;
font-src - fonts;
img-src - images;
media-src - audio and video content;
frame-src - frames (page within a page);
script-src - scripts (Java Script, PHP);
object-src - web plugins;
Using CSP in nginx.conf (NGINX):
add_header Content-Security-Policy "default-src 'self' *.domain.com";
self - site domain name.
In this example, we only allow content to be downloaded from a trusted domain and we don't allow it to be downloaded from any other source.[/INDENT]
Using CSP in httpd.conf (Apache):
Header set Content-Security-Policy "default-src 'self';"
Using Referrer-Policy in .htaccess:
<ifModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'"
</ifModule>