Tuesday, January 4, 2022

[SOLVED] How to enable Content Security Policy in HTTP server

Issue

We are using Apache HTTPS server in product. As a fix for XSS (Cross site scripting) i tried to add Content-Security-Policy in httpd.conf file. But it is not working and server doesn't start after this changes.

Currently I have this response from server:

curl -k -I https://IP:Port
HTTP/1.1 200 OK
Date: Wed, 16 Jun 2021 16:53:12 GMT
Set-Cookie: JSESSIONID=xxxxxx; Path=/; Secure
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache
Content-Length: 1234
Content-Type: text/html;charset=UTF-8

As a fix to include CSP in HTTP response I have updated httpd.conf with

Content-Security-Policy: script-src 'self'

On verifying the syntax with "httpd -t" got the below error:

Invalid command 'Content-Security-Policy:', perhaps misspelled or defined by a module not included in the server configu
ration

Also tried with these changes:

<IfModule mod_headers.c>                                                
Header set X-XSS-Protection"1; mode=block"                
Header set Content-Security-Policy="default-src 'self';" 
</IfModule>

Now the syntax error is:

Header requires three arguments

Is there anything which I am missing in configurations or something else ?


Solution

Syntax for httpd.conf is ths same as for .htaccess:

<IfModule mod_headers.c>                                                
  Header set X-XSS-Protection "1; mode=block"                
  Header set Content-Security-Policy "default-src 'self';" 
</IfModule>


Answered By - granty