|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 |
- # Content-Security-Policy (Apache)
-
- Self-hosted fonts: no `fonts.googleapis.com` or `fonts.gstatic.com`. Static assets (including `woff2`) are served from `'self'`.
-
- Adjust `report-uri` if your API base path or host differs (example below targets UAT).
-
- ## Enforcing
-
- ```apache
- Header always set Content-Security-Policy "default-src 'self'; \
- base-uri 'self'; \
- object-src 'none'; \
- frame-ancestors 'none'; \
- form-action 'self'; \
- script-src 'self'; \
- style-src 'self' 'unsafe-inline'; \
- style-src-elem 'self' 'unsafe-inline'; \
- img-src 'self' data: https://www.w3.org https://w3.org; \
- media-src 'self' blob:; \
- font-src 'self' data:; \
- connect-src 'self'; \
- upgrade-insecure-requests"
- ```
-
- ## Report-Only
-
- Same policy plus violation reporting:
-
- ```apache
- Header always set Content-Security-Policy-Report-Only "default-src 'self'; \
- base-uri 'self'; \
- object-src 'none'; \
- frame-ancestors 'none'; \
- form-action 'self'; \
- script-src 'self'; \
- style-src 'self' 'unsafe-inline'; \
- style-src-elem 'self' 'unsafe-inline'; \
- img-src 'self' data: https://www.w3.org https://w3.org; \
- media-src 'self' blob:; \
- font-src 'self' data:; \
- connect-src 'self'; \
- upgrade-insecure-requests; \
- report-uri https://pnspsuat.gld.gov.hk/api/csp-report"
- ```
-
- ## Notes
-
- - **`style-src-elem`**: Explicit, alongside `style-src`, for `<link rel="stylesheet">` behaviour in modern browsers.
- - **`img-src`**: Includes `https://www.w3.org` and `https://w3.org` so W3C URLs that redirect between hosts are allowed.
- - **`font-src`**: `'self' data:` covers bundled fonts and `data:` URLs if used.
- - Add origins to the relevant directive only if you introduce third-party scripts, styles, fonts, or APIs.
|
