Hi there,
I was doing some work on my website when I thought of doing a security scan with Mozilla Observatory. Unsurprisingly I got an F, but I wanted to see what I could improve. The first thing I got deducted the most points for was a missing Content Security Policy in my http headers. I have tried putting it in the .htaccess file in the root of the website like this:
Header add Content-Security-Policy "default-src 'self';"
But that straight up made the website return error 500.
I have the default setup where I have Apache2 as the webserver and Nginx as (just) the proxy. I would like to have the possibilit to set the headers per site, but if that’s not a good idea then I’d like to hear that from you guys as well .
Anyway, do any of you guys know how to set these headers the proper way? I couldn’t find anything about it in the documentation.