Hi everyone !
I'm trying to add a CSP to the server that runs my Grav website.
So I added this into the .htaccess :
Headers set Content-Security-Policy "default-src 'self' https://fonts.googleapis.com/*"
Of course, I got an internal server error (500).
Do you have any documentation on which domains to allow ?
Thanks a lot !
ps: I am quite new to the back-end development.
pps: You're doing an amazing job <3
Nico.
Not sure about that but this is what I have in the getgrav.org .htaccess file:
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
I think i got this from MaxCDN's technical support.
btw thanks for the props :)
Alright thanks ! I'll dig into it and keep you posted :)
Hi,
What I have in my virtualhost (nginx) :
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' www.gravatar.com data: ; style-src 'self' 'unsafe-inline'; font-src 'self' fonts.googleapis.com; child-src 'none'; object-src 'self' ; connect-src 'self' getgrav.org";
Have a look at https://content-security-policy.com/ ; there is a sample at the bottom of the page for Apache ; in your case, it should be (not tested) :
Header set Content-Security-Policy "default-src 'self' fonts.googleapis.com;"
Hope it helps !
Log in to reply.
| Topic | Participants | Replies | Views | Activity |
|---|---|---|---|---|
| 0 | 1350 | 9 years ago | ||
| 2 | 934 | 9 years ago | ||
| 2 | 4060 | 9 years ago | ||
| 1 | 2947 | 9 years ago | ||
| 3 | 1118 | 9 years ago |