Deploying Content-Security-Policy

Content-Security-Policy is delivered over an HTTP header. This means that the web server must include Content-Security-Policy as part of it's response.

The following is a bunch of examples of installing Content Security Policy in different languages/frameworks.

Every library and framework has their own way of setting HTTP headers.

Usually it's as simple as:

response.setHeader("Content-Security-Policy-Report-Only", "default-src ...;")

Examples

NodeJS / Express

app.use(function(req, res, next) {}
  res.setHeader("content-security-policy-report-only", "default-src 'self'; script-src 'self' 'report-sample'; style-src 'self' 'report-sample'; base-uri 'none'; object-src 'none'; report-uri https://5e52f4c893efcda6a7d40460.endpoint.csper.io")
  next();
});

Blog Post Guide

Go

func SecurityHeaders(next http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

    w.Header().Add("Content-Security-Policy-Report-Only", "default-src ...;")
    next.ServeHTTP(w, r)
  })
}
...
r.Use(SecurityHeaders)

Apache

.htaccess

#Under VirtualHost
Header set Content-Security-Policy-Report-Only "default-src 'self'...;"

Nginx

nginx.conf

# in server {} block
add_header Content-Security-Policy-Report-Only "default-src 'self'...;";

Django

class CSPMiddleware:

  def __init__(self, get_response):
    self.get_response = get_response

  def __call__(self, request):
    response = self.get_response(request)
    response['Content-Security-Policy'] = "default-src 'self' ...;"
    return response

# In settings.py
MIDDLEWARE = [
  ...,
  'appname.middleware.CSPMiddleware',
  ...
]

Report-Only

The first time CSP is rolled out, it is highly recommended to use it in report-only mode.

This means that the browser won't actually block any content, it'll only report. It's great for testing out a new policy.