Topic

Hello,

questions from a newbie:

What is better?
CSP in the header or in the .htaccess?

When it is in the header and i take some externals checks,
some detect the CSP, some not.

When it is in the .htaccess the external checks cannot detect the CSP – correct?

Replies

For CSP to works, your website has to send it with the page response inside the header (not to mix it with HTML HEAD). To do that, plugin can set headers on page request, or it can write CSP in .htaccess, so Apache server will add it to each response based on what is in .htaccess. The point of the CSP is that it has to be detectable or if not present, it can’t be used.

I prefer using .htaccess, but there is no much difference. If you don’t use Apache, plugin generates headers for NGiNX and IIS, but they have to be manually added to servers.

Milan

Dev4Press - Premium plugins for WordPress.

Hello Milan, thank you for your answer.

i’m using Apache and both is possible and i use the .htaccess.

When i check it with the browser developer tools,
i can see the response-header with the CSP,
when i select NOT the very first entry – in the network-list.
This is in both Firefox and Chrome.
It looks that is not correct?

You should see CSP in the response. If you don’t see it, it means CSP is not set, and will not be used by the browser.

Dev4Press - Premium plugins for WordPress.

1 user thanked author for this post.

volker01