Implementing a Content Security Policy

Hi everyone !
I’m trying to add a CSP to the server that runs my Grav website.
So I added this into the .htaccess :

Headers set Content-Security-Policy "default-src 'self'*"

Of course, I got an internal server error (500).
Do you have any documentation on which domains to allow ?

Thanks a lot !

ps: I am quite new to the back-end development.
pps: You’re doing an amazing job <3


Not sure about that but this is what I have in the .htaccess file:

<IfModule mod_setenvif.c>
  <IfModule mod_headers.c>
    <FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
      SetEnvIf Origin ":" IS_CORS
      Header set Access-Control-Allow-Origin "*" env=IS_CORS

<IfModule mod_headers.c>
  <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
    Header set Access-Control-Allow-Origin "*"

I think i got this from MaxCDN’s technical support.

btw thanks for the props :slight_smile:

Alright thanks ! I’ll dig into it and keep you posted :slight_smile:


What I have in my virtualhost (nginx) :

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: ; style-src 'self' 'unsafe-inline'; font-src 'self'; child-src 'none'; object-src 'self' ; connect-src 'self'";

Have a look at ; there is a sample at the bottom of the page for Apache ; in your case, it should be (not tested) :

Header set Content-Security-Policy "default-src 'self';"

Hope it helps !