The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
Server Side Configuration
Apache Content-Security-Policy Header
You could add the following to the Apache webserver in httpd.conf in your VirtualHost or in an .htaccess file:
Header set Content-Security-Policy "default-src 'self';"
But that’s a little too restrictive if you are running scripts from third parties like Google Analytics and CloudFlare Using the line above would configure your website to only load scripts, images etc. from the same domain.
For that reason your config should probably look more like this:
<IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self'; script-src 'self' www.google-analytics.com *.cloudflare.com ajax.googleapis.com apis.google.com platform.twitter.com; img-src *.cloudflare.com child-src plusone.google.com facebook.com platform.twitter.com" # DISABLE MIME TYPE SNIFFING TO PREVENT IE FROM DOING DUMB THINGS Header set X-Content-Type-Options nosniff # NO IFRAME EMBEDDING Header set X-Frame-Options DENY </IfModule>
Other examples
Starter Policy - This policy allows images, scripts, AJAX, and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc). It is a good starting point for many sites.
Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
Other Policies
# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https. Note that this does not provide any XSS protection # Content-Security-Policy: default-src https:
<!-- Do the same thing, but with a <meta> tag --> <meta http-equiv="Content-Security-Policy" content="default-src https:">
# Disable the use of unsafe inline/eval, allow everything else except plugin execution # Content-Security-Policy: default-src *; object-src 'none'
# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur. Also disables the execution of plugins # Content-Security-Policy: default-src 'self'; img-src 'self' https://i.imgur.com; object-src 'none'
# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google, and images from same origin and imgur. Sites should aim for policies like this. # Content-Security-Policy: default-src 'none'; font-src 'https://fonts.googleapis.com'; img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self'
# Pre-existing site that uses too much inline code to fix but wants to ensure resources are loaded only over https and disable plugins # Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'
# Don't implement the above policy yet; instead just report violations that would have occured # Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/
# Disable the loading of any resources and disable framing, recommended for APIs to use Content-Security-Policy: default-src 'none'; frame-ancestors 'none'
Additional important headers
There are a few extra headers worth setting while you’re at it:
Strict-Transport-Security
Ensures that all traffic is sent through HTTPS.
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
X-Frame-Options
Disallow your page to be embedded within a <frame>, <iframe> or <object>.
Header set X-Frame-Options DENY
X-Content-Type-Options
Disable MIME type sniffing, which can e.g. make IE execute an innocent looking .img URL as a javascript.
Header set X-Content-Type-Options nosniff