Chose Language:
Author: Admin/Publisher |not finished |not checked


CSP stands for Content Security Policy. It is an additional layer of security. In this case, we will see how to apply CSP in PHP.

CSP allows us to disable the loading of various types of scripts, CSS, files, etc.; as well as enable them.

The main reason for the existence of CSP is to try to prevent Cross Site Scripting (XSS).

Having a CSP on your page will significantly reduce the attack on your website.


CSP has many directives that we can use, which allow us to define where we are applying a limitation or allowing an action.

The directives determine what procedures or actions will be performed with respect to a given URL.

We can see all the directives at

Let’s see the most used directives


default-src is the predefined directive for (JavaScript, images, CSS, fonts, AJAX requests, frames, HTML5 media). This means that if one of the following directives is not present, default-src will take over (script-src, style-src, img-src, font-src, connect-src, media-src and object-src)


Define las fuentes de Javascript


sources for inline styles or CSS


sources for XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping>, or EventSource


fonts source


Valid source or origin for plugins, such as <object>, <embed>, or <applet>


Define the origin of videos and audios <audio> and <video>


I hesitated to include this since frames are not well-liked, but Google often uses them when we are using one of their APIs, for example Google Maps, Google AdSense, Analytics, or another.

Define the valid origin for loading frames


restricts the URLs which can be used as the target of form submissions from a given context.


Define las urls permitidas para el uso en el atributo src de una etiqueta HTML.

Tools that can help us create our CSP


  • inspector (herramienta del navegador firefox)
  • o similar

How to use the inspector:

It’s simple.

  1. Open the Firefox inspector by right-clicking on the page and selecting “Inspect Element”.

Once the inspector is open, you need to know how to obtain your CSP.

To obtain your CSP:

  1. Go to the Network tab.
  2. Reload the page and look for the first GET request in the Network tab.
  3. Click on the Headers tab.
  4. In the Headers tab, look for the Content-Security-Policy header and its value.
  5. Copy the value of the Content-Security-Policy header and paste it into the CSP Evaluator.

The CSP Evaluator will help you to evaluate your CSP header and identify any potential security risks.

Create the CSP in PHP

For PHP, we can use the header function to create our content security policy (CSP). My recommendation is to put it inside a function and then use it directly in our header. Or, if we are using WordPress, we can use something like:

add_action('wp_headers', 'add_content_security_policy_header',1);
function add_content_security_policy_header() {
    global $nonce;
	"default-src 'self' ".
		"https://* ".
		"; ".
	"script-src ".
		base()." ".
		"'nonce-$nonce'; ".
	"style-src 'self' ". 
		"'unsafe-inline' ".
		"'nonce-".$nonce."'; ".
	"img-src 'self' ".
		"https://* data: ; ".
	"font-src 'self' ".
		"data: ".
		"; ".
	"connect-src 'self' ".
		" ".
		"https://* ".
		" ".
		" ".
		"; ".
	"base-uri 'self'; ".
  • A nonce is a random number that is only used once. It is used for inline scripts, since we should not use inline-unsafe but a nonce or a hash.
  • If you are using styles, you should use inline-unsafe, nonce does not work for styles.
  • The idea of a nonce is that it cannot be known by the attacker, creating a random number can serve as a nonce, the number must be large, do not make small random numbers.
  • If you are using a nonce in your project, you must make it unique, remember that PHP has some functions that fulfill this, do not use time as a nonce, that would be a serious error.
  • On the other hand, there are also third-party packages that take care of this.
Category: en-php
Something wrong? If you found an error or mistake in the content you can contact me on Twitter | @luisg2249_luis.
Last 4 post in same category