DEV Community

hardyweb
hardyweb

Posted on

Content Security Policy- Basic Knowledge To Understand How It Work.

<!DOCTYPE html>
<html lang="en">

        <head>
                <meta charset="UTF-8">

                <?php
                        $nonce = base64_encode(random_bytes(16));
                        header("Content-Security-Policy: default-src 'self' www.youtube.com play.google.com cdnjs.cloudflare.com;font-src 'self' cdnjs.cloudflare.com fonts.googleapis.com;script-src 'strict-dynamic' 'nonce-$nonce' cdnjs.cloudflare.com; style-src 'strict-dynamic' 'nonce-$nonce' cdnjs.cloudflare.com fonts.gstatic.com; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; frame-src 'self' www.youtube.com");
                        header("Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()");
                        $pin1 = hash("sha256", "test");
                        $pin2 = hash("sha256", "tost");
                        header("Public-Key-Pins: pin-sha256=\"$pin1\"; pin-sha256=\"$pin2\"; max-age=31536000; includeSubDomains");
                        header("X-Frame-Options: SAMEORIGIN");
                        header("X-XSS-Protection: 1; mode=block");
                        header("X-Content-Type-Options: nosniff");
                        header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
                ?>
                <meta name="viewport" content="width=device-width, initial-scale=1">

              <link rel="stylesheet" nonce="<?php echo $nonce ?>" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.2/css/all.min.css" />


        <title>CSP TEST</title>

        </head>


          <h1 style="font-family:'Reem Kufi',san-serif"> چونتنت سچوريتي ڤوليچي /  داسر كسلامتن كندوڠن </h1>

          <h2>Laman ini digunakan untuk menguji Content Security Policy/ Dasar Keselematan Kandungan</h2>

          <i class="fa-brands fa-youtube"></i> <br/>

<!--
<iframe width="560" height="315" src="https://www.youtube.com/embed/m1KM_DxQXWM?si=xVSUJysB-lNmUUMe&amp;controls=0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>-->

          <br/>

          <i class="fa-solid fa-tower-cell"></i><br/>

<script nonce="<?php echo $nonce ?>"  >

</script>
       </body>
</html>

Enter fullscreen mode Exit fullscreen mode

CSP can be added in code, .htaccess , on the nginx vhost. It depends on the developemnt team to determine the best method to place CSP meta in the system.

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay