I’m currently in the process of implementing Content-Security-Policies. But my apache refused to accept the config settings.
The apache2 versions I am currently using are: 2.2.22 and 2.4.7. Neither of those apache2 versions seem to work.
My config settings are:
Header always set Content-Security-Policy: frame-src 'self' *.google.de google.de *.google.com google.com; Header always set Content-Security-Policy-Report-Only: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://www.myhostname.com/report/report.php; Header always set X-Content-Security-Policy: frame-src 'self' google.de google.com;
I receive the following error message on either of those settings. If I comment out one line, the error just changes to the following line:
Output of config test was: AH00526: Syntax error on line 7 of /etc/apache2/conf-enabled/security.conf: Header has too many arguments Action 'configtest' failed.
I’ve tried every possible combination of settings, resulting in the same error messages. So I come to believe, that my apaches don’t support those headers? But I haven’t found anything on the web regarding this issue.
Or am I just missing something crucial? I have also copied various examples from other pages and they produced the same errors.
Headers in general are working fine. I have a couple of other headers set, which work perfectly:
Header always set X-Content-Type-Options nosniff Header always set X-XSS-Protection "1; mode=block" Header always set X-Permitted-Cross-Domain-Policies "master-only" Header always set Cache-Control "no-cache, no-store, must-revalidate" Header always set Pragma "no-cache" Header always set Expires "-1"
If the value of the header contains spaces, you must surround it in double quotes. Your examples already do this, but your intended new headers do not.
For example, you tried:
Header always set Content-Security-Policy: frame-src 'self' *.google.de google.de *.google.com google.com;
It should be:
Header always set Content-Security-Policy: "frame-src 'self' *.google.de google.de *.google.com google.com;"
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.