How to manually deploy Content-Security-Policy?

In order to manually deploy Content-Security-Policy (CSP), you will need to configure your web server to return Content-Security-Policy HTTP header.

Report-Only policy

The recommended first step in building your customized CSP is initially deploying a Content-Security-Policy-Report-Only policy. In this mode, the browser reports policy violations, so that you know which directives to add, but does not block anything in-practice.

Each language/framework has it's own syntax for adding HTTP reponse header. Here are some examples with content-security-policy-report-only header:

Magento 2

Please edit etc/config.xml file and copy below config

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <mode>
                <storefront>
                <report_only>1</report_only>
                    <report_uri>https://...</report_uri>
                </storefront>
                <admin>
                <report_only>1</report_only>
                    <report_uri>https://...</report_uri>
                </admin>
            </mode>
        </csp>
    </default>
</config>

Apache (.htaccess)

If you use Apache server, you can copy below rules under VirtualHost to add RapidSec CSP

Header set content-security-policy-report-only "default-src 'self'...;"

ASP.NET / IIS Server

If you use IIS server with/without ASP.NET, you can copy rules from here to add to the server Web.config file to add RapidSec CSP

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="content-security-policy-report-only" value="default-src 'self'...;" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Go Lang

For a Go Lang application use below example middleware to add RapidSec CSP

func SecurityHeaders(next http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {​
    w.Header().Add("content-security-policy-report-only", "default-src 'self'...;")
    next.ServeHTTP(w, r)
  })
}
r.Use(SecurityHeaders)

Django

For a Django application use below example middleware to add RapidSec CSP

class CSPMiddleware:
  ​def __init__(self, get_response):
    self.get_response = get_response
      ​
  def __call__(self, request):
    response = self.get_response(request)
    response['content-security-policy-report-only'] = "default-src 'self'...;"
    return response

# In settings.py
MIDDLEWARE = [
  ...,
  'appname.middleware.CSPMiddleware',
  ...
]

PHP

For a PHP application use below snippet to add RapidSec CSP

<?php
header("content-security-policy-report-only: default-src 'self'...;");

Netlify

Create a _headers file at root of your project and add below rules to it

/*
  content-security-policy-report-only: default-src 'self'...;

Firebase

In firebase.json under hosting -> headers add below config to add RapidSec CSP

{
  "hosting": {
    "headers": [{
      "source": "**/*",
      "headers": [{
        "key": "content-security-policy-report-only",
        "value": "default-src 'self'...;"
      }]
    }]
  }
}

Vercel

Create a vercel.json file at the root of your project and fill it with the following contents to add RapidSec CSP

{
  "routes": [
    {
      "src": "/(.*)",
      "headers": {
        "content-security-policy-report-only": "default-src 'self'...;"
      }
    }
  ]
}

JSON

Create JSON file and use below snippet to add RapidSec CSP

{
  "directives": {
    "default-src": [
      "'self'..."
    ]
  },
  "reportOnly": true
}

Plain Text

Already have a CSP? You can add the report-uri directive

content-security-policy-report-only: default-src 'self'...;

Wordpress

If you want to configure in PHP, you can copy below snippet to add RapidSec CSP

<IfModule mod_headers.c>
    Header set content-security-policy-report-only "default-src 'self'...;"
</IfModule>

Node.js

For a node.js application without using any external framework use below example to add RapidSec CSP

const http = require('http');

http.createServer((request, response) => {
  // Handing the request
  request.on(...);

  response.writeHead(200, {
    "content-security-policy-report-only": "default-src 'self'...;"

    // other security headers here...
  });

  // Sending the response
  response.end(...);
});

Express.js

Install Express CSP Generator and copy below config:

app.use(
  contentSecurityPolicy({
  "directives": {
    "default-src": [
      "'self'..."
    ]
  },
  "reportOnly": true
})
);

Nginx (nginx.conf)

If you use NGINX server, you can copy rules from here to add to the server block in nginx.conf file to add RapidSec CSP

add_header content-security-policy-report-only "default-src 'self'...;" always;

Automate your CSP