cPanel violates CSP set in apache includes
I wanted to set security headers globally for my website so I set the headers in the apache includes. (/etc/apache2/conf.d/userdata/ssl/2_4/user/domain/headers.conf)
This works fine for my website but now I have a problem using the cpanel.mydomain.com subdomain because it violates my CSP policy (it uses unsafe-inline scripts)
How can I exclude this subdomain from using the security headers, while still keeping the headers for the rest of the website?
I realize I could just put 'unsafe-inline' in the script-src directive but that would defeat the point of my CSP.
Also, setting the headers in the .htaccess file is not an option since it doesn't work for .php files (something to do with fcgi).
This is the code used in headers.conf:
Header always set Content-Security-Policy "default-src 'self'; font-src 'self' data: script-src 'self'
-
I just surrounded this code in and tags and now the headers are not set for the proxy subdomains. 0 -
I just surrounded this code in and tags and now the headers are not set for the proxy subdomains.
Hello, I'm glad to see it's now working as you intend. Thank you for sharing the outcome.0
Please sign in to leave a comment.
Comments
2 comments