This task is for users with the following roles: OC Developer
The Content Security Policy HTTP Header (CSP) is a security header used by browsers to better control the different resources that your website can load. This includes scripts, style sheets, images, media, fonts and other resources.
The CSP helps mitigate against common attacks like cross-site scripting, man-in-the-middle, and clickjacking.
Set Up the CSP for your Site
Developers can set up and manage the CSP from the Content Security Header Management screen of the OpenCities admin and must do it for each OpenCities site you have.
Please note that no backup option is provided for current header values; copy them locally before modification to protect against accidental changes.
- Go to More > CSP Header Management from the main menu.
- Check Store violation report to enable the application to gather violation reports from the browser and save them to the database for review. This setting will automatically uncheck after one hour and only affect the Content-security-policy-report-only header value field.
- Open the site in a new browser session to test for the header. The header is not rendered when the site is being previewed.
- Enter your directive(s), for example, frame-ancestors 'self'; default-src 'self';
- Test the header across multiple browsers and look for any console messages related to the header. The violations registered may differ based on the browsers.
- Resolve any violated directives. We try to ensure that the header is valid when using the automatic Resole option, but it's always recommended to review the header and ensure that there are no error messages related to the header in your browser.
- Move tested directives from the Content-security-policy-report-only header value field to the Content-security-policy header value field.
- Uncheck Store violation report and Save.
For more information, please refer to the MDN header documentation: