Content Security Policy HTTP header is a part of the Shield's HTTP Headers module. It helps you to restrict the sources and types of content that may be loaded and processed by visitor browsers.
In essence it allows you to dictate which resources, files, etc. can be loaded/processed by the browser.
Shield's Content Security Policy Header covers all types of assets, whether it’s images, scripts, objects, or styles etc.
How to enable / disable this Header
To enable this Header, check this box. To disable, leave it unchecked. (See the screenshot below)
What are the Content Security Policy options?
The Content Security Policy options are as follows:
- Allow 'self' Directive - Resources from your own host:protocol are permitted.
- Allow "data:" Directives - Allows use of embedded data directives, most commonly used for images and fonts.
- HTTPS Resource Loading - Allows loading of any content provided over HTTPS.
- Permitted Hosts and Domains - You can explicitly state which hosts/domain from which content may be loaded. Take great care and test your site as you may block legitimate resources.
Recommendation: Enabling these options are advised, but you must test them on your site thoroughly.
To learn more about HTTP Content Security Policy Headers, read the blog article here.
We also recommend you to read: