Configuring the Content Security Policy Header

We recommend that this be done by editing the .htaccess file of your site by adding the following code:

#Enable Content Security Policy Header
<IfModule mod_headers.c>
Header set Content-Security-Policy “default-src ‘none’; script-src ‘self’; connect-src ‘self’; img-src ‘self’; style-src ‘self’;”
</IfModule>

DO THIS ON A TEST VERSION OF YOUR SITE, as it may prevent some things from loading and your site may “break.”

By opening the developer’s view of your browser (Ex., in Chrome, right click, “Inspect”) you may view the Console and see what is not loading properly. Then exceptions can be set in the above code.

For example, suppose the console shows that content is being blocked that is trying to load from Cloudflare (Javascript, for example). Add the location after the script-src portion as shown below.

Header set Content-Security-Policy “default-src ‘none’; script-src ‘self’ https://cdnjs.cloudflare.com; connect-src ‘self’; img-src ‘self’; style-src ‘self’;”