How to deploy Content-Security-Policy?
In order to deploy Content-Security-Policy (CSP), you will need to configure your web server to return Content-Security-Policy HTTP header.
Report-Only policy
The recommended first step in building your customized CSP is initially deploying a Content-Security-Policy-Report-Only policy. In this mode, the browser reports policy violations, so that you know which directives to add, but does not block anything in-practice.
Each language/framework has it's own syntax for adding HTTP reponse header. Here are some examples with content-security-policy-report-only header:
Magento 2
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
<default>
<csp>
<mode>
<storefront>
<report_only>1</report_only>
<report_uri>https://...</report_uri>
</storefront>
<admin>
<report_only>1</report_only>
<report_uri>https://...</report_uri>
</admin>
</mode>
</csp>
</default>
</config>Apache (.htaccess)
If you use Apache server, you can copy below rules "under VirtualHost" to add RapidSec CSP
Header set content-security-policy-report-only "default-src 'self'...;"
Microsoft IIS Server
If you use IIS server, you can copy rules from here to add to the server 'Web.config' file to add RapidSec CSP
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="content-security-policy-report-only" value="default-src 'self'...;" />
</customHeaders>
</httpProtocol>
</system.webServer>Go Lang
For a Go Lang application use below example middleware to add RapidSec CSP
func SecurityHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("content-security-policy-report-only", "default-src 'self'...;")
next.ServeHTTP(w, r)
})
}
r.Use(SecurityHeaders)Django
For a Django application use below example middleware to add RapidSec CSP
class CSPMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
response = self.get_response(request)
response['content-security-policy-report-only'] = "default-src 'self'...;"
return response
# In settings.py
MIDDLEWARE = [
...,
'appname.middleware.CSPMiddleware',
...
]
PHP
For a PHP application use below snippet to add RapidSec CSP
<?php
header("content-security-policy-report-only: default-src 'self'...;");Netlify
Create a "_headers" file at root of your project and add below rules to it
/* content-security-policy-report-only: default-src 'self'...;
Firebase
In "firebase.json" under "hosting" -> "headers" add below config to add RapidSec CSP
{
"hosting": {
"headers": [{
"source": "**/*",
"headers": [{
"key": "content-security-policy-report-only",
"value": "default-src 'self'...;"
}]
}]
}
}Vercel
Create a vercel.json file at the root of your project and fill it with the following contents to add RapidSec CSP
{
"routes": [
{
"src": "/(.*)",
"headers": {
"content-security-policy-report-only": "default-src 'self'...;"
}
}
]
}JSON
{
"directives": {
"default-src": [
"'self'..."
]
},
"reportOnly": true
}Plain Text
content-security-policy-report-only: default-src 'self'...;
Wordpress
<IfModule mod_headers.c>
Header set content-security-policy-report-only "default-src 'self'...;"
</IfModule>Node.js
For a node.js application without using any external framework use below example to add RapidSec CSP
const http = require('http');
http.createServer((request, response) => {
// Handing the request
request.on(...);
response.writeHead(200, {
"content-security-policy-report-only: "default-src 'self'...;"
// other security headers here...
});
// Sending the response
response.end(...);
});Express.js
app.use(
contentSecurityPolicy({
"directives": {
"default-src": [
"'self'..."
]
},
"reportOnly": true
})
);Nginx (nginx.conf)
If you use NGINX server, you can copy rules from here to add to the server block in 'nginx.conf' file to add RapidSec CSP
add_header content-security-policy-report-only "default-src 'self'...;" always;