htaccess Content-Security-Policy/CSP headers blocked
I am trying to set the Content-Security-Policy/CSP headers in the .htaccess file. But, its getting blocked for some reason in both development and production environments.
The same thing is happening for the .css and other sources like images.
Header set X-XSS-Protection "1; mode=block"
Header add Content-Security-Policy "script-src 'self' http://*.google.com https://*.google.com https://*.googleapis.com"
...
I have already tried googling for the solution, but so far no luck.
Solution
The problem has been solved.
I had to define all the base urls and specific paths of the external resources with http and https protocol. Along with the self to allow all the files of the application and unsafe-inline for running the inline scripts written on the page.
<IfModule mod_headers.c>
...
Header add Content-Security-Policy "\
default-src 'self' 'unsafe-inline' https://translate.googleapis.com http://translate.googleapis.com ...; \
style-src 'self' 'unsafe-inline' https://fonts.gstatic.com ...; \
img-src 'self' 'unsafe-inline' https://www.google-analytics.com http://www.google-analytics.com ...; \
font-src 'self' 'unsafe-inline' https://fonts.gstatic.com ...; \
...;"
</IfModule>
Please note:
- Using
unsafe-inlineis considered a security threat. - Try to use the specific url(s) if you are not requesting the multiple files from the same source.
I hope this will help someone in need.
- How to write a clean URL with mod_rewrite using virtual dirs, actual dirs and variables as a combination
- I need redirect /item/x to /item/y in .htaccess
- How to get MAMP to read .htaccess files
- .htaccess trying to create Clean URLs mod_rewrite
- How can I redirect to a different domain without changing the URL in the address bar?
- Htaccess rule to redirect domain to index.html
- I created a subdomain and when I try to reach it , it gives access denied error
- Should I escape these characters with a backslash in .htaccess?
- .htaccess assistance with rewrite rule
- PHP - how to make page visible only in local network
- my .htaccess file not working with 404 error page in html
- Rewrite rule to resolve 2 use cases
- How do I make URLs case insensitive in Linux server
- How to password protect a directory that contains an OpenCart shop
- Check HTTP_REFERER on a Windows server
- .htaccess redirect HTTP to HTTPS
- How to Allow Access to Only Specific URLs and Rewrite Them Using Apache .htaccess?
- Apache - Permissions are missing on a component of the path
- Where and How to set Vary: User-Agent HTTP Header
- $_GET is always empty using .htaccess RewriteRule with L flag
- htaccess - redirect domain to a specific page, unless a path is spefcified
- Remove public form URL in Laravel when uploaded on cPanel also always redirect to https://
- Can I force .htaccess to refresh?
- Access-Control-Allow-Origin Multiple Origin Domains?
- Force SSL/https using .htaccess and mod_rewrite
- Laravel reverts to /public/ in URLs when trailing slashes are added
- Laravel 8 misbehaves on trailing slash
- How to properly make 301 redirect
- Allow access to page only from certain referrer
- How to enable .htaccess support with PHP-FPM, Nginx, and Apache2 on Ubuntu 24.04 with FastPanel?