Wiki
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
Allow everything but only from the same origin:
default-src 'self';
Only Allow Scripts from the same origin:
script-src 'self';
Allow Google Analytics, Google AJAX CDN and same Origin:
script-src 'self' www.google-analytics.com ajax.googleapis.com;
Nginx Content Security Policy Configuration
Add following config to server
section:
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;";
- Starter Policy
This policy allows images, scripts, AJAX, and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc). It is a good starting point for many sites.
default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
- X-Frame-Options
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>
, <iframe>
or <object>
. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
The added security is only provided if the user accessing the document is using a browser supporting X-Frame-Options.
There are three possible directives for X-Frame-Options:
X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/
To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:
add_header X-Frame-Options SAMEORIGIN;
If you got error like this: Multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, DENY') encountered when loading 'https://example.com'. Falling back to 'DENY'.
Set Nginx ignore the corresponding response headers in PHP
fastcgi_hide_header X-Frame-Options; # FastCGI Mode proxy_hide_header X-Frame-Options; # Proxy Mode
Reference Content Security Policy (CSP) Quick Reference Guide