8

I added the following lines to my .htacces file:

Content-Security-Policy: default-src 'self'
X-Content-Security-Policy: default-src 'self'
X-WebKit-CSP: default-src 'self'

But I always got the following error:

Invalid command 'Content-Security-Policy:', perhaps misspelled or defined by a module not included in the server configuration

I don't get it. Which Apache module do I have to activate? What's wrong with these lines?

Thx, David

4

2 回答 2

14

将这些行添加到您的 httpd.conf 配置文件、虚拟主机部分或 .htaccess 文件中:

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"

您可能也有兴趣添加这些标题:

Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"

如果尚未启用,您必须启用 (LoadModule) mod_headers,然后重新启动 apache。

于 2013-10-15T13:49:13.510 回答
1

我不是 apache 专家,但内容安全策略是响应标头。http://httpd.apache.org/docs/2.2/mod/mod_headers.html

于 2013-05-06T16:02:24.150 回答