PNSPS-frontend-MaterialUI/docs/csp-apache.conf.md

Content-Security-Policy (Apache)

Self-hosted fonts: no fonts.googleapis.com or fonts.gstatic.com. Static assets (including woff2) are served from 'self'.

Adjust report-uri if your API base path or host differs (example below targets UAT).

Enforcing

Header always set Content-Security-Policy "default-src 'self'; \
	base-uri 'self'; \
	object-src 'none'; \
	frame-ancestors 'none'; \
	form-action 'self'; \
	script-src 'self'; \
	style-src 'self' 'unsafe-inline'; \
	style-src-elem 'self' 'unsafe-inline'; \
	img-src 'self' data: https://www.w3.org https://w3.org; \
	media-src 'self' blob:; \
	font-src 'self' data:; \
	connect-src 'self'; \
	upgrade-insecure-requests"

Report-Only

Same policy plus violation reporting:

Header always set Content-Security-Policy-Report-Only "default-src 'self'; \
	base-uri 'self'; \
	object-src 'none'; \
	frame-ancestors 'none'; \
	form-action 'self'; \
	script-src 'self'; \
	style-src 'self' 'unsafe-inline'; \
	style-src-elem 'self' 'unsafe-inline'; \
	img-src 'self' data: https://www.w3.org https://w3.org; \
	media-src 'self' blob:; \
	font-src 'self' data:; \
	connect-src 'self'; \
	upgrade-insecure-requests; \
	report-uri https://pnspsuat.gld.gov.hk/api/csp-report"

Notes

• style-src-elem: Explicit, alongside style-src, for <link rel="stylesheet"> behaviour in modern browsers.
• img-src: Includes https://www.w3.org and https://w3.org so W3C URLs that redirect between hosts are allowed.
• font-src: 'self' data: covers bundled fonts and data: URLs if used.
• Add origins to the relevant directive only if you introduce third-party scripts, styles, fonts, or APIs.