DEV Community


Posted on

Content Security Policy- Basic Knowledge To Understand How It Work.

<!DOCTYPE html>
<html lang="en">

                <meta charset="UTF-8">

                        $nonce = base64_encode(random_bytes(16));
                        header("Content-Security-Policy: default-src 'self';font-src 'self';script-src 'strict-dynamic' 'nonce-$nonce'; style-src 'strict-dynamic' 'nonce-$nonce'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; frame-src 'self'");
                        header("Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()");
                        $pin1 = hash("sha256", "test");
                        $pin2 = hash("sha256", "tost");
                        header("Public-Key-Pins: pin-sha256=\"$pin1\"; pin-sha256=\"$pin2\"; max-age=31536000; includeSubDomains");
                        header("X-Frame-Options: SAMEORIGIN");
                        header("X-XSS-Protection: 1; mode=block");
                        header("X-Content-Type-Options: nosniff");
                        header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
                <meta name="viewport" content="width=device-width, initial-scale=1">

              <link rel="stylesheet" nonce="<?php echo $nonce ?>" href="" />

        <title>CSP TEST</title>


          <h1 style="font-family:'Reem Kufi',san-serif"> چونتنت سچوريتي ڤوليچي /  داسر كسلامتن كندوڠن </h1>

          <h2>Laman ini digunakan untuk menguji Content Security Policy/ Dasar Keselematan Kandungan</h2>

          <i class="fa-brands fa-youtube"></i> <br/>

<iframe width="560" height="315" src=";controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>-->


          <i class="fa-solid fa-tower-cell"></i><br/>

<script nonce="<?php echo $nonce ?>"  >


Enter fullscreen mode Exit fullscreen mode

CSP can be added in code, .htaccess , on the nginx vhost. It depends on the developemnt team to determine the best method to place CSP meta in the system.

Top comments (0)