Content Security Policy - Using them in HTTP response header
Karthikeyan J
This request was created on behalf of Basil
Currently, the content security policy tag is added to the meta tags.
However, most of the sites such as https://securityheaders.com/ will check the HTTP response header to identify the tag and evaluate the website.
It would be great if we have an option to select where we want to use the tags.
Thank you.
Log In
A
Athithiyien Balasubramani
CSP needs to be implemented in response headers as well along with Meta tag as suggested by security score card until and unless it is implemented in response header they won’t mark it as fixed.
Ideal Fix: Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com; object-src 'none'; style-src 'self' https://fonts.googleapis.com; font-src https://fonts.gstatic.com;