Content Security Policy issues

  • Resolved Alain Lankers

    (@alain-lankers)


    5 years, 3 months ago

    I am setting up Content Security Policy header for a website. Only I try to set the default-src. setting, but every option I tried (* or self…) makes the website not load. I only see the icon of the website loading but this keep loading. I have no issues with the other headers. Any suggestions for this header?

    • This topic was modified 5 years, 3 months ago by Alain Lankers.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Dimitar Ivanov

    (@zinoui)

    Hi @alain-lankers

    It may be a bit difficult to configure the CSP header, because there are not a standard recommendation for that. You need to analyse all the resources (CSS, JS, Fonts, Images) that your website uses and another document requests (AJAX, Iframes), and then to set-up the CSP accordingly.

    To avoid a possible interruption of your website, a good practice is to activate the “Report-Only” mode of CSP. In this case browsers will not throwns any errors and instead of this will post them to an endpoint of your choise where you might see them in order to change you CSP configuration.

    Another approach, and more quick, is to see for an errors in your browser DevTools console. Thus way you will see which exactly resource break your current policy and to decide whether to include it or not.

    Hope this helps you
    Dimitar

    Thread Starter Alain Lankers

    (@alain-lankers)

    Thanks for the suggestions. With the help of Dev tools console it got it set it up now. It’s a great plugin.

    Plugin Author Dimitar Ivanov

    (@zinoui)

    You’re welcome ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Content Security Policy issues’ is closed to new replies.

Tags