Check of the Content Security Policy (CSP)
If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.
|Result positive||A secure configuration of the Content Security Policy (CSP) was found.|
|Result negativ||Content Security Policy insecure|
|Consequence||The Content Security Policy is a powerful way to increase the security on web pages. It is important to know that the list should be checked regularly (prevents injection of external content or code). On the other hand, it is rarely possible to integrate a secure CSP header without modifying the source code of the web page.|
|Solution/Tips|| If the Content Security Policy is not configured securely, your web application may load content from insecure sources.
Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about Content Security Policy, please refer to SELFHTML>>
Example for the header on the start page:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'"> <meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'"> <meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'">
Configuration of the web server
If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via changes to .htaccess:
# Download / Load content only from explicitly allowed sites # Example: Allow everything from own domain, nothing from external sources:
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';"
Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)