我在.htacces文件中添加了以下行:
Content-Security-Policy: default-src 'self'
X-Content-Security-Policy: default-src 'self'
X-WebKit-CSP: default-src 'self'
但我总是遇到以下错误:
Invalid command 'Content-Security-Policy:', perhaps misspelled or defined by a module not included in the server configuration
我不明白。我必须激活哪个Apache模块?这些线有什么问题?
THX, 大卫
答案 0 :(得分:10)
将这些行添加到httpd.conf配置文件中,或虚拟主机部分内或.htaccess文件中:
Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"
您可能也有兴趣添加这些标题:
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
如果尚未启用(LoadModule)mod_headers,则必须启用它,然后重新启动apache。
答案 1 :(得分:1)
我不是apache专家,但内容安全策略是响应头。 http://httpd.apache.org/docs/2.2/mod/mod_headers.html