How to deploy Content-Security-Policy?
In order to deploy Content-Security-Policy (CSP), you will need to configure your web server to return Content-Security-Policy HTTP header.
Report-Only policy
The recommended first step in building your customized CSP is initially deploying a Content-Security-Policy-Report-Only policy. In this mode, the browser reports policy violations, so that you know which directives to add, but does not block anything in-practice.
Each language/framework has it's own syntax for adding HTTP reponse header. Here are some examples with content-security-policy-report-only header:
Magento 2
<?xml version="1.0"?> <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd"> <default> <csp> <mode> <storefront> <report_only>1</report_only> <report_uri>https://...</report_uri> </storefront> <admin> <report_only>1</report_only> <report_uri>https://...</report_uri> </admin> </mode> </csp> </default> </config>
Apache (.htaccess)
If you use Apache server, you can copy below rules "under VirtualHost" to add RapidSec CSP
Header set content-security-policy-report-only "default-src 'self'...;"
Microsoft IIS Server
If you use IIS server, you can copy rules from here to add to the server 'Web.config' file to add RapidSec CSP
<system.webServer> <httpProtocol> <customHeaders> <add name="content-security-policy-report-only" value="default-src 'self'...;" /> </customHeaders> </httpProtocol> </system.webServer>
Go Lang
For a Go Lang application use below example middleware to add RapidSec CSP
func SecurityHeaders(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Add("content-security-policy-report-only", "default-src 'self'...;") next.ServeHTTP(w, r) }) } r.Use(SecurityHeaders)
Django
For a Django application use below example middleware to add RapidSec CSP
class CSPMiddleware: def __init__(self, get_response): self.get_response = get_response def __call__(self, request): response = self.get_response(request) response['content-security-policy-report-only'] = "default-src 'self'...;" return response # In settings.py MIDDLEWARE = [ ..., 'appname.middleware.CSPMiddleware', ... ]
PHP
For a PHP application use below snippet to add RapidSec CSP
<?php header("content-security-policy-report-only: default-src 'self'...;");
Netlify
Create a "_headers" file at root of your project and add below rules to it
/* content-security-policy-report-only: default-src 'self'...;
Firebase
In "firebase.json" under "hosting" -> "headers" add below config to add RapidSec CSP
{ "hosting": { "headers": [{ "source": "**/*", "headers": [{ "key": "content-security-policy-report-only", "value": "default-src 'self'...;" }] }] } }
Vercel
Create a vercel.json file at the root of your project and fill it with the following contents to add RapidSec CSP
{ "routes": [ { "src": "/(.*)", "headers": { "content-security-policy-report-only": "default-src 'self'...;" } } ] }
JSON
{ "directives": { "default-src": [ "'self'..." ] }, "reportOnly": true }
Plain Text
content-security-policy-report-only: default-src 'self'...;
Wordpress
<IfModule mod_headers.c> Header set content-security-policy-report-only "default-src 'self'...;" </IfModule>
Node.js
For a node.js application without using any external framework use below example to add RapidSec CSP
const http = require('http'); http.createServer((request, response) => { // Handing the request request.on(...); response.writeHead(200, { "content-security-policy-report-only: "default-src 'self'...;" // other security headers here... }); // Sending the response response.end(...); });
Express.js
app.use( contentSecurityPolicy({ "directives": { "default-src": [ "'self'..." ] }, "reportOnly": true }) );
Nginx (nginx.conf)
If you use NGINX server, you can copy rules from here to add to the server block in 'nginx.conf' file to add RapidSec CSP
add_header content-security-policy-report-only "default-src 'self'...;" always;