Trying to get an A+ rating from securityheaders.com

I was trying to get an A+ rating from securityheaders.com, it repsonds with

Content-Security-Policy	This policy contains 'unsafe-inline' which is dangerous in the style-src directive.

Which is caused by,

$ cd /your-site-route 
$ grep -R  style-src * | grep unsafe
lib/private/legacy/response.php:			. 'style-src \'self\' \'unsafe-inline\'; '

Can this be worked round?

Apache Content-Security-Policy Header

Add the following to your httpd.conf in your VirtualHost or in an .htaccess file:

Header set Content-Security-Policy “default-src ‘self’;”

Nginx Content-Security-Policy Header

In your server {} block add:

add_header Content-Security-Policy “default-src ‘self’;”;

1 Like