Reputation: 1424
Implement Content Security Policy using local htaccess file (Apache)
I'm new to web dev and want to implement Content Security Policy on a certain web page only.
This is what I have done so far: 1. Set header this way:
Header set Content-Security-Policy "
default-src 'self';
script-src 'self';
"
- Got a 500 internal server error after this setting. Read somewhere that mod_headers must be enabled. So enabled it using:
sudo a2enmod headers sudo service apache2 restart
- .htaccess looks like this now:
<IfModule mod_headers.c>Header set Content-Security-Policy " default-src 'self'; script-src 'self'; "</IfModule>
Right now, the problem is that I'm not getting any error now but the header is still not set. Please advise me if I'm missing something. I've gone through other threads already and followed this whole path using: How to implement content security policy? and some other questions too. P.S I'm using Apache and PHP on Ubuntu 14.04
Upvotes: 2
Views: 29469
Answers (3)
Reputation: 491
For anyone who wants to use line breaks (and you're going to want to use line breaks for really complex CSPs), Apache allows them by simply ending a line with a backslash ( \ ) to indicate that the command continues on the next line. For example (taken from Hassan's original post):
<IfModule mod_headers.c>Header set Content-Security-Policy "\
\
default-src 'self'; \
\
script-src 'self'; \
\
"</IfModule>
Note that the white space before the backslash does not matter; you can have the backslash immediately after a non-whitespace character or you can add one or more spaces, tabs, etc. and then end with the slash. Blank lines must include the backslash as the last character on the line.
Reference: https://httpd.apache.org/docs/current/configuring.html
httpd configuration files contain one directive per line. The backslash "\" may be used as the last character on a line to indicate that the directive continues onto the next line. There must be no other characters or white space between the backslash and the end of the line.
Upvotes: 7
Reputation: 1424
Ok so guys it got solved by adding the same line i.e.
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
but in the file /etc/apache2/apache2.conf and it worked. Got help from this: Use Content Security Policy scipt-src sha feature with Apache HTTP Server
Upvotes: 1
Reputation: 3379
Have you tried setting the header without line breaks? I'm not sure how apache will append the headers but I always thought (and please correct me if i'm wrong) they are parsed based on line breaks.
So try the following:
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
</IfModule>
Also you could set the header via PHP that would make your Content-Security-Policy independent from the web server.
Upvotes: 2
Related Questions
- mplementing Content Security Policy
- How to set right Content Security Policy with apache
- How to append/overide .htaccess Content-Security-Policy with PHP CSP header()
- How to use Content-Security-Policy with localhost files
- Adding a Content-Security-Policy with PHP, why resources are not loaded?
- Allow inline scripts CSP with Apache
- Handling Content Security Policy in .htaccess
- How to implement content security policy?
- Content-Security-Policy doesnt work on my site?
- How to prevent override the setting using .htaccess or custom php.ini