apachecontent-security-policy

Apache Web Server Multiple Content Security Policy directive headers

I'm working on a Content Security Policy and I have a question regarding multiple Apache Header directives. Referencing this page, I can have multiple CSP Headers, but the strictest one prevails.

Content-Security-Policy: img-src 'self';
Content-Security-Policy: img-src 'self' img.example.com;

I'd like to break out each CSP category so the Apache config file is more readable. My question is, is this single line Apache Header directive:

Header Set Content-Security-Policy "frame-src 'self' https://*.example.com https://*.youtube.com ; style-src 'self' https://CssAssets.example.com ; font-src 'self' *.googlefonts.com ; script-src-elem 'self' https://www.googletagmanager.com 'sha256-/5FvV9Vy9L+Q8i33gdJ9sHKsx4DwjcuiL0tBoqqJ/EE=' ; script-src 'unsafe-inline' ; default-src 'self' example.gov ;

equivalent to

Header Set Content-Security-Policy "frame-src 'self' https://*.example.com https://*.youtube.com ; "
Header Add Content-Security-Policy "style-src 'self' https://CssAssets.example.com ; "
Header Add Content-Security-Policy "font-src 'self' *.googlefonts.com ; "
Header Add Content-Security-Policy "script-src-elem 'self' https://www.googletagmanager.com 'sha256-/5FvV9Vy9L+Q8i33gdJ9sHKsx4DwjcuiL0tBoqqJ/EE=' ; "
Header Add Content-Security-Policy "script-src 'unsafe-inline' ; "
Header Add Content-Security-Policy "default-src 'self' example.gov ; "
Solution

  • No, these config are not equivalent and using multiple Header Add Content-Security-Policy directives like that will not combine into a single effective policy.

    You should combine all your CSP directives into a single header line like:

    Header set Content-Security-Policy "default-src 'self' example.gov; frame-src 'self' https://*.example.com https://*.youtube.com; style-src 'self' https://CssAssets.example.com; font-src 'self' *.googlefonts.com; script-src-elem 'self' https://www.googletagmanager.com 'sha256-/5FvV9Vy9L+Q8i33gdJ9sHKsx4DwjcuiL0tBoqqJ/EE='; script-src 'unsafe-inline';"

    Or for a better readability, you can also do like this:

    Header set Content-Security-Policy "\
  default-src 'self' example.gov; \
  frame-src 'self' https://*.example.com https://*.youtube.com; \
  style-src 'self' https://CssAssets.example.com; \
  font-src 'self' *.googlefonts.com; \
  script-src-elem 'self' https://www.googletagmanager.com 'sha256-/5FvV9Vy9L+Q8i33gdJ9sHKsx4DwjcuiL0tBoqqJ/EE='; \
  script-src 'unsafe-inline';"