Apache Content-Security-Policy (CSP) header in .htaccess how to allow multiple domains wildcard?

Hello,

this page (https://securityheaders.io) told me that my site does not have Content Security Policy (CSP) set.

I wanted to fix it so i googled how to set CSP in case of Apache + cPanel server (google: content security policy apache generator)

I found here (https://content-security-policy.com/) that one can edit .htaccess file and add line:
Header set Content-Security-Policy **something there**

Here is mentioned that one can define CSP in HTML header meta tag.

Or use more advanced script with e-mail reporting: https://gist.github.com/phpdave/24d879514e7411047267

I tried several examples i found, but none worked. It always disabled all external elements of my site, while i tried to allow these:
ajax.cloudflare.com *.sharebutton.net *.cjshare.com *.cleverjump.org *.jsdelivr.net *.google.com *.tawk.to *.twitter.com

Header set Content-Security-Policy "default-src 'self' ajax.cloudflare.com *.sharebutton.net *.cjshare.com *.cleverjump.org *.jsdelivr.net *.google.com *.tawk.to *.twitter.com"
Header set Content-Security-Policy "default-src 'self'; script-src 'self' ajax.cloudflare.com *.sharebutton.net *.cjshare.com *.cleverjump.org *.jsdelivr.net *.google.com *.tawk.to *.twitter.com"
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' ajax.cloudflare.com sharebutton.net cjshare.com cleverjump.org jsdelivr.net google.com *.tawk.to twitter.com"
Header set Content-Security-Policy "default-src 'self'; script-src 'self' http://*tawk.to https://*.cloudflare.com 'unsafe-inline'"

Code (markup):

my site is behind cloudflare, but when i purge cloudflare cache and reloading site Ctrl+F5, no external elements like chat window or widgets appear when CSP is in .htaccess

when i remove CSP line from htaccess, then they (chat window and other external pages elements) start appearing. So please how the CSP rule should look like to allow only local elements and external site elements i mentioned above? Thank You

 

This .htaccess "rule" works:

Header always set Content-Security-Policy "default-src 'self' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to https://cjshare.com *.cjshare.com *.cleverjump.org *.jsdelivr.net https://sharebutton.net *.sharebutton.net; style-src 'self' 'unsafe-inline' *.jsdelivr.net; img-src data: *; object-src 'none'"

Code (markup):

You may notice i had to enter https:// prefix sometimes.
I would advise removing all custom domains from the rule:

Header always set Content-Security-Policy "default-src 'self' *.google-analytics.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com; style-src 'self' 'unsafe-inline'; img-src data: *; object-src 'none'"

Code (markup):

, reloading site in web browser while Developer console of the web browser is open and one should be able to see advises and errors if some elements was blocked by CSP. and then read errors and add necessary external domains to the CSP rule.

By the way here is nice tool that can help evaluating your CSP rule:
https://csp-evaluator.withgoogle.com/
Proper format to paste into that tool is like this:

In my case it complains:

but when i remove it, all external scripts stops loading even these are whitelisted in the rule ... impact and workarounds explained here https://developers.google.com/web/fundamentals/security/csp/#inline_code_is_considered_harmful