Reputation: 438
CSP header not detected
For some reason both Mozilla Observatory and CSP validator are not detecting the CSP header in my .htaccess file yet the header is visible when viewed through Chrome.
Here's my current CSP header in my .htaccess file;
Content-Security-Policy: script-src 'nonce-$RANDOM' 'strict-dynamic' 'unsafe-inline' object-src 'none'; base-uri 'none'; report-uri https://altfit.report-uri.com/r/d/csp/enforce;
Also I noticed that the nonce is not working, inline scripts still load without nonce in place but if I make modifications to the CSP it can restrict script execution and the display of inline elements.
Info: Server is Light Speed. PHP version is 7.1
Upvotes: 1
Views: 944
Answers (1)
Reputation: 438
Fixed the issue by modifying the line in .htaccess to the following;
Header set Content-Security-Policy: "default-src https: 'unsafe-inline'; report-uri https://altfitcom.report-uri.com/r/d/csp/enforce;"
Only issue now is the addition of unsafe-inline but from what I have read strict-dynamic and nonce do not work as a cross platform solution and I have to have inline js for some onclick events.
Upvotes: 1
Related Questions
- How to use nonce in CSP
- CSP header fails with "Refused to apply inline style..." but I have already added the hash
- Safari CSP ignores nonce and unsafe-inline
- What's to stop me from circumventing CSP nonce by inspecting the response header?
- Whats wrong with my CSP? Content Security Policy (CSP) implemented unsafely
- CSP violation with hash
- Content Security Policy (CSP) blocking valid nonce in firefox
- Content-Security-Policy refused to connect to
- Content security policy not working
- CSP nonce ignored by Safari