Adding CSP to a Wordpress Droplet

Question

I have tried multiple ways of adding CSP and other security measures to my .htaccess, but I was wondering if this is the best way to do this. I can’t seem to even get it working with the .htaccess file.

Jonathan Tittle · Answer

@brendonray

You may want to take a look at https://content-security-policy.com/ for examples.

For Apache, you should be able to use the following in either your VirtualHost or .htaccess file.

Header set Content-Security-Policy "default-src 'self';"

There’s also an example by HTML 5 Boilerplate, which is set in the VirtualHost.

<IfModule mod_headers.c>

    Header set Content-Security-Policy "script-src 'self'; object-src 'self'"

    # `mod_headers` cannot match based on the content-type, however,
    # the `Content-Security-Policy` response header should be send
    # only for HTML documents and not for the other resources.

    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
        Header unset Content-Security-Policy
    </FilesMatch>

</IfModule>

Related

Question

Adding CSP to a Wordpress Droplet

Related