# Content-Security-Policy (Apache)

Self-hosted fonts: no `fonts.googleapis.com` or `fonts.gstatic.com`. Static assets (including `woff2`) are served from `'self'`.

Adjust `report-uri` if your API base path or host differs (example below targets UAT).

## Enforcing

```apache
Header always set Content-Security-Policy "default-src 'self'; \
	base-uri 'self'; \
	object-src 'none'; \
	frame-ancestors 'none'; \
	form-action 'self'; \
	script-src 'self'; \
	style-src 'self' 'unsafe-inline'; \
	style-src-elem 'self' 'unsafe-inline'; \
	img-src 'self' data: https://www.w3.org https://w3.org; \
	media-src 'self' blob:; \
	font-src 'self' data:; \
	connect-src 'self'; \
	upgrade-insecure-requests"
```

## Report-Only

Same policy plus violation reporting:

```apache
Header always set Content-Security-Policy-Report-Only "default-src 'self'; \
	base-uri 'self'; \
	object-src 'none'; \
	frame-ancestors 'none'; \
	form-action 'self'; \
	script-src 'self'; \
	style-src 'self' 'unsafe-inline'; \
	style-src-elem 'self' 'unsafe-inline'; \
	img-src 'self' data: https://www.w3.org https://w3.org; \
	media-src 'self' blob:; \
	font-src 'self' data:; \
	connect-src 'self'; \
	upgrade-insecure-requests; \
	report-uri https://pnspsuat.gld.gov.hk/api/csp-report"
```

## Notes

- **`style-src-elem`**: Explicit, alongside `style-src`, for `<link rel="stylesheet">` behaviour in modern browsers.
- **`img-src`**: Includes `https://www.w3.org` and `https://w3.org` so W3C URLs that redirect between hosts are allowed.
- **`font-src`**: `'self' data:` covers bundled fonts and `data:` URLs if used.
- Add origins to the relevant directive only if you introduce third-party scripts, styles, fonts, or APIs.