Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header.
Although CSP is useful in improving the security of your web server, misconfiguration can result leaving loopholes open or even causing production outages. Although some configurations can be tested on your localhost, the exact behaviors may differ when deployed in productions since the domains are different.
With ModHeader, you can easily author complex CSP, test them, and copy them onto your production configuration to speed up your development while reducing the risk of mistakes.
- To add a new CSP directive, simply click onbutton, then select Content Security Policy
- Enter the name of the directive and its value. e.g.,
- ModHeader will generate the Content-Security-Policy based on all the active directives. You can now visit your page to see how it looks with the given CSP configuration.
- (Optional): It would be a good idea to add a URL filter / tab filter to avoid setting the same CSP on all websites.
- When you are happy with the given CSP configuration, click on COPY CSP button to copy the CSP value.
If you already have an existing CSP header value, you can parse them with ModHeader to break them up into individual directives. This way, you can configure them and test them individually.
- If the CSP response modifiers section does not appear yet, click onbutton, then select Content Security Policy
- Click on PARSE CSP button.
- Enter the existing CSP header value
- ModHeader will parse the existing CSP header value into individual directives. You can now modify, enable, and/or disable them individually.