The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.

Server Side Configuration

Apache Content-Security-Policy Header

You could add the following to the Apache webserver in httpd.conf in your VirtualHost or in an .htaccess file:

Header set Content-Security-Policy "default-src 'self';"

But that’s a little too restrictive if you are running scripts from third parties like Google Analytics and CloudFlare Using the line above would configure your website to only load scripts, images etc. from the same domain.

For that reason your config should probably look more like this:

<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' *; img-src * child-src"
        Header set X-Content-Type-Options nosniff
        Header set X-Frame-Options DENY

Other examples

Starter Policy - This policy allows images, scripts, AJAX, and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc). It is a good starting point for many sites.

Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

Other Policies

# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https. Note that this does not provide any XSS protection
Content-Security-Policy: default-src https:

<!-- Do the same thing, but with a <meta> tag -->
<meta http-equiv="Content-Security-Policy" content="default-src https:">

# Disable the use of unsafe inline/eval, allow everything else except plugin execution
Content-Security-Policy: default-src *; object-src 'none'

# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur. Also disables the execution of plugins
Content-Security-Policy: default-src 'self'; img-src 'self'; object-src 'none'

# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google, and images from same origin and imgur. Sites should aim for policies like this.
Content-Security-Policy: default-src 'none'; font-src '';
             img-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'

# Pre-existing site that uses too much inline code to fix but wants to ensure resources are loaded only over https and disable plugins
Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'

# Don't implement the above policy yet; instead just report violations that would have occured
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/

# Disable the loading of any resources and disable framing, recommended for APIs to use
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'

Additional important headers

There are a few extra headers worth setting while you’re at it:


Ensures that all traffic is sent through HTTPS.

Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"


Disallow your page to be embedded within a <frame>, <iframe> or <object>.

Header set X-Frame-Options DENY


Disable MIME type sniffing, which can e.g. make IE execute an innocent looking .img URL as a javascript.

Header set X-Content-Type-Options nosniff