Why does my apache refuse the "Content-Security-Policy" headers?

Riemu asked:

I’m currently in the process of implementing Content-Security-Policies. But my apache refused to accept the config settings.

The apache2 versions I am currently using are: 2.2.22 and 2.4.7. Neither of those apache2 versions seem to work.

My config settings are:

Header always set Content-Security-Policy: frame-src 'self' *.google.de google.de *.google.com google.com;
Header always set Content-Security-Policy-Report-Only: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://www.myhostname.com/report/report.php;
Header always set X-Content-Security-Policy: frame-src 'self' google.de google.com;

I receive the following error message on either of those settings. If I comment out one line, the error just changes to the following line:

Output of config test was:
AH00526: Syntax error on line 7 of /etc/apache2/conf-enabled/security.conf:
Header has too many arguments
Action 'configtest' failed.

I’ve tried every possible combination of settings, resulting in the same error messages. So I come to believe, that my apaches don’t support those headers? But I haven’t found anything on the web regarding this issue.

Or am I just missing something crucial? I have also copied various examples from other pages and they produced the same errors.

Headers in general are working fine. I have a couple of other headers set, which work perfectly:

Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Permitted-Cross-Domain-Policies "master-only"
Header always set Cache-Control "no-cache, no-store, must-revalidate"
Header always set Pragma "no-cache"
Header always set Expires "-1"

Thanks you!

My answer:


If the value of the header contains spaces, you must surround it in double quotes. Your examples already do this, but your intended new headers do not.

For example, you tried:

Header always set Content-Security-Policy: frame-src 'self' *.google.de google.de *.google.com google.com;

It should be:

Header always set Content-Security-Policy: "frame-src 'self' *.google.de google.de *.google.com google.com;"

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.