How to enable Content-Security-Policy and Permissions-Policy Apache headers

Introduction

You may want to enable the Content-Security-Policy and Permissions-Policy headers to increase site security. This article provides the procedure to add these headers to the Apache configuration.

Please note, the following instructions assume you already enabled HSTS on the server.

Procedure

1. Log into WHM as the 'root' user.
2. Navigate to "WHM / Service Configuration / Apache Configuration."
3. Click "Include Editor."
4. Select "All Versions" from the drop-down menu under "Pre-Main Include."
5. Add the following entries to the IfModule section.

   Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"
   Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"

6. Click the "Update" button.
7. Click the "Restart Apache" button.

Additional resource

PCI - How to enable HSTS on a cPanel server.

Apache Configuration

Include Editor