Setting a Content Security Policy for my website

Hi there,

I was doing some work on my website when I thought of doing a security scan with Mozilla Observatory. Unsurprisingly I got an F, but I wanted to see what I could improve. The first thing I got deducted the most points for was a missing Content Security Policy in my http headers. I have tried putting it in the .htaccess file in the root of the website like this:

Header add Content-Security-Policy "default-src 'self';"

But that straight up made the website return error 500.

I have the default setup where I have Apache2 as the webserver and Nginx as (just) the proxy. I would like to have the possibilit to set the headers per site, but if that’s not a good idea then I’d like to hear that from you guys as well :slight_smile:.

Anyway, do any of you guys know how to set these headers the proper way? I couldn’t find anything about it in the documentation.

Hi @emiellr,

I don’t use Apache so I can’t test it but as far as I know, the headers should be added to your nginx conf files.

Before trying to create a template, modify your nginx conf files:

/home/YourUser/conf/web/YourDomain/nginx.conf
/home/YourUser/conf/web/YourDomain/nginx.ssl.conf

And add this line in both files:

add_header Content-Security-Policy "default-src 'self';";

Reload nginx:

systemctl reload nginx

And check again your site to see whether you can view the new header.

If this works, maybe you would like to create a new template for your site with those headers so they won’t be lost when rebuilding your site or in next Hestia upgrade.

Good luck,
sahsanu