Implementing a Content Security Policy

Hi everyone !
I’m trying to add a CSP to the server that runs my Grav website.
So I added this into the .htaccess :

Headers set Content-Security-Policy "default-src 'self' https://fonts.googleapis.com/*"

Of course, I got an internal server error (500).
Do you have any documentation on which domains to allow ?

Thanks a lot !

ps: I am quite new to the back-end development.
pps: You’re doing an amazing job <3

Nico.

Not sure about that but this is what I have in the getgrav.org .htaccess file:

<IfModule mod_setenvif.c>
  <IfModule mod_headers.c>
    <FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
      SetEnvIf Origin ":" IS_CORS
      Header set Access-Control-Allow-Origin "*" env=IS_CORS
    </FilesMatch>
  </IfModule>
</IfModule>

<IfModule mod_headers.c>
  <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
    Header set Access-Control-Allow-Origin "*"
  </FilesMatch>
</IfModule>

I think i got this from MaxCDN’s technical support.

btw thanks for the props :slight_smile:

Alright thanks ! I’ll dig into it and keep you posted :slight_smile:

Hi,

What I have in my virtualhost (nginx) :

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' www.gravatar.com data: ; style-src 'self' 'unsafe-inline'; font-src 'self' fonts.googleapis.com; child-src 'none'; object-src 'self' ; connect-src 'self' getgrav.org";

Have a look at https://content-security-policy.com/ ; there is a sample at the bottom of the page for Apache ; in your case, it should be (not tested) :

Header set Content-Security-Policy "default-src 'self' fonts.googleapis.com;"

Hope it helps !