1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Apache Content-Security-Policy (CSP) header in .htaccess how to allow multiple domains wildcard?

Discussion in 'Site & Server Administration' started by postcd, Jul 6, 2017.

  1. #1
    Hello,
    SEMrush
    this page (https://securityheaders.io) told me that my site does not have Content Security Policy (CSP) set.

    I wanted to fix it so i googled how to set CSP in case of Apache + cPanel server (google: content security policy apache generator)

    I found here (https://content-security-policy.com/) that one can edit .htaccess file and add line:
    Header set Content-Security-Policy **something there**

    Here is mentioned that one can define CSP in HTML header meta tag.

    Or use more advanced script with e-mail reporting: https://gist.github.com/phpdave/24d879514e7411047267

    I tried several examples i found, but none worked. It always disabled all external elements of my site, while i tried to allow these:
    ajax.cloudflare.com *.sharebutton.net *.cjshare.com *.cleverjump.org *.jsdelivr.net *.google.com *.tawk.to *.twitter.com

    
    Header set Content-Security-Policy "default-src 'self' ajax.cloudflare.com *.sharebutton.net *.cjshare.com *.cleverjump.org *.jsdelivr.net *.google.com *.tawk.to *.twitter.com"
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' ajax.cloudflare.com *.sharebutton.net *.cjshare.com *.cleverjump.org *.jsdelivr.net *.google.com *.tawk.to *.twitter.com"
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' ajax.cloudflare.com sharebutton.net cjshare.com cleverjump.org jsdelivr.net google.com *.tawk.to twitter.com"
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' http://*tawk.to https://*.cloudflare.com 'unsafe-inline'"
    
    Code (markup):
    my site is behind cloudflare, but when i purge cloudflare cache and reloading site Ctrl+F5, no external elements like chat window or widgets appear when CSP is in .htaccess

    when i remove CSP line from htaccess, then they (chat window and other external pages elements) start appearing. So please how the CSP rule should look like to allow only local elements and external site elements i mentioned above? Thank You
     
    Last edited: Jul 6, 2017
    postcd, Jul 6, 2017 IP
    SEMrush
  2. postcd

    postcd Well-Known Member

    Messages:
    1,005
    Likes Received:
    8
    Best Answers:
    1
    Trophy Points:
    190
    #2
    This .htaccess "rule" works:
    Header always set Content-Security-Policy "default-src 'self' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to https://cjshare.com *.cjshare.com *.cleverjump.org *.jsdelivr.net https://sharebutton.net *.sharebutton.net; style-src 'self' 'unsafe-inline' *.jsdelivr.net; img-src data: *; object-src 'none'"
    Code (markup):
    You may notice i had to enter https:// prefix sometimes.
    I would advise removing all custom domains from the rule:

    Header always set Content-Security-Policy "default-src 'self' *.google-analytics.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com; style-src 'self' 'unsafe-inline'; img-src data: *; object-src 'none'"
    Code (markup):
    , reloading site in web browser while Developer console of the web browser is open and one should be able to see advises and errors if some elements was blocked by CSP. and then read errors and add necessary external domains to the CSP rule.

    By the way here is nice tool that can help evaluating your CSP rule:
    https://csp-evaluator.withgoogle.com/
    Proper format to paste into that tool is like this:
    In my case it complains:
    but when i remove it, all external scripts stops loading even these are whitelisted in the rule ... impact and workarounds explained here https://developers.google.com/web/fundamentals/security/csp/#inline_code_is_considered_harmful
     
    Last edited: Jul 7, 2017
    postcd, Jul 7, 2017 IP