How to deploy Content-Security-Policy?
In order to deploy Content-Security-Policy (CSP), you will need to configure your web server to return Content-Security-Policy HTTP header.
Report-Only policy
The recommended first step in building your customized CSP is initially deploying a Content-Security-Policy-Report-Only policy. In this mode, the browser reports policy violations, so that you know which directives to add, but does not block anything in-practice.
Each language/framework has it's own syntax for adding HTTP reponse header. Here are some examples with content-security-policy-report-only header:
Magento 2
csp:manual_deploy_instructions.manual_magento.title
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
<default>
<csp>
<mode>
<storefront>
<report_only>1</report_only>
<report_uri>https://...</report_uri>
</storefront>
<admin>
<report_only>1</report_only>
<report_uri>https://...</report_uri>
</admin>
</mode>
</csp>
</default>
</config>Apache (.htaccess)
If you use Apache server, you can copy below rules under <code>VirtualHost</code> to add RapidSec CSP
Header set content-security-policy-report-only "default-src 'self'...;"
ASP.NET / IIS Server
If you use IIS server with/without ASP.NET, you can copy rules from here to add to the server <code>Web.config</code> file to add RapidSec CSP
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="content-security-policy-report-only" value="default-src 'self'...;" />
</customHeaders>
</httpProtocol>
</system.webServer>Go Lang
For a Go Lang application use below example middleware to add RapidSec CSP
func SecurityHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("content-security-policy-report-only", "default-src 'self'...;")
next.ServeHTTP(w, r)
})
}
r.Use(SecurityHeaders)Django
For a Django application use below example middleware to add RapidSec CSP
class CSPMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
response = self.get_response(request)
response['content-security-policy-report-only'] = "default-src 'self'...;"
return response
# In settings.py
MIDDLEWARE = [
...,
'appname.middleware.CSPMiddleware',
...
]
PHP
For a PHP application use below snippet to add RapidSec CSP
<?php
header("content-security-policy-report-only: default-src 'self'...;");Netlify
Create a <code>_headers</code> file at root of your project and add below rules to it
/* content-security-policy-report-only: default-src 'self'...;
Firebase
In <code>firebase.json</code> under <code>hosting</code> -> <code>headers</code> add below config to add RapidSec CSP
{
"hosting": {
"headers": [{
"source": "**/*",
"headers": [{
"key": "content-security-policy-report-only",
"value": "default-src 'self'...;"
}]
}]
}
}Vercel
Create a <code>vercel.json</code> file at the root of your project and fill it with the following contents to add RapidSec CSP
{
"routes": [
{
"src": "/(.*)",
"headers": {
"content-security-policy-report-only": "default-src 'self'...;"
}
}
]
}JSON
csp:manual_deploy_instructions.manual_json.title
{
"directives": {
"default-src": [
"'self'..."
]
},
"reportOnly": true
}Plain Text
csp:manual_deploy_instructions.manual_plain.title
content-security-policy-report-only: default-src 'self'...;
Wordpress
csp:manual_deploy_instructions.manual_wordpress.title
<IfModule mod_headers.c>
Header set content-security-policy-report-only "default-src 'self'...;"
</IfModule>Node.js
For a node.js application without using any external framework use below example to add RapidSec CSP
const http = require('http');
http.createServer((request, response) => {
// Handing the request
request.on(...);
response.writeHead(200, {
"content-security-policy-report-only: "default-src 'self'...;"
// other security headers here...
});
// Sending the response
response.end(...);
});Express.js
csp:manual_deploy_instructions.manual_expressjs.title
app.use(
contentSecurityPolicy({
"directives": {
"default-src": [
"'self'..."
]
},
"reportOnly": true
})
);Nginx (nginx.conf)
If you use NGINX server, you can copy rules from here to add to the server block in <code>nginx.conf</code> file to add RapidSec CSP
add_header content-security-policy-report-only "default-src 'self'...;" always;