Skip to main content

.htaccess Content Security Policy

.htaccess Content Security Policy

Content Security Policy (CSP) mitigates the risk of cross-site scripting and other content-injection attacks by setting a Content Security Policy which allows trusted sources of content for your website.

note

There is no policy that fits all websites.

You need to create one that suite your website!

For example:

<IfModule mod_headers.c>
Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
</IfModule>
note

You can use the Google CSP validator to make sure your header does what you want it to do.