Where to add Content Security Policy (CSP)?

12 posts by 3 authors in: Forums > CMS Builder
Last Post: April 12   (RSS)

Where is the best place to add a CSP into CMS Builder so that it applies across the system? I usually include it via header() calls inside PHP (or an 'include' call to a CSP.php file that contains those headers) as the .htaccess approach doesn't work for PHP on our server (it only impacts SHTML/HTML/CGI).

Hi Mark, 

You could put them in /cmsb/lib/menus/header.php and if you email them over to me (or post) I can include them in the next release if they'd be helpful to others.  

Dave Edis - Senior Developer

I'm not sure I'd recommend including CSP into CMSBuilder by default, as it's one of those things that you need to tailor to a specific site due to the risk of breaking things. In my case, I'm just using a simplified set to be compliant, and it's not a particularly strong or secret batch of settings. The ones I'm using - after a lot of trial and error - are:

header('X-Frame-Options: SAMEORIGIN');

header("X-XSS-Protection: 1; mode=block");

header("X-Content-Type-Options: nosniff");

header("Content-Security-Policy: default-src * data: blob:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'; img-src https: http://www.YOURSITE.com http://*.YOURSITESUBDOMAIN.com data: blob:; frame-src https:; base-uri *; worker-src * https: blob:;");

header("Permissions-Policy: camera=(), geolocation=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), hid=()");

But what would be handy is if we could set them in CMSBuilder without needing to edit core files that may change with each update of the CMS. For example, adding them into the config file or via the admincp may be handy.

By Djulia - October 24, 2023 - edited: October 24, 2023

Hi Mark,

Interesting post!

Personally, I use my CSP in an .htaccess file (Apache). I do not have access to the security.conf file.

<ifModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
  Header always append X-Frame-Options SAMEORIGIN
  Header set X-Content-Type-Options: "nosniff"
  Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' mystats.mysite.com"


Sadly on our Ionos (1&1) server the .htaccess method doesn't touch .php files, otherwise I'd be using that too.

In the documentation they refer to the .htaccess file. Are you on a particular offer?

I believe it's down to the fact that they install PHP with FastCGI, which in this case means that any 'headers' for CSP added via .htaccess will only touch older server files like .html and .cgi. Not much good if you want to apply it in PHP, where the alternative is to add the headers directly into the PHP programme itself - usually in a config file or a key file that the system always needs to call (e.g. init.php). Took me a lot of trial and error to eventually figure this one out. Tools like this helped:


As usual with Ionos, the information they put on their own website often doesn't accurately reflect the different setups on the servers they sell to consumers.

Hi Dave,

I just tested your plugin and everything works fine for me. Thanks!


Thanks for this link! I also use this site :

Nice work, thanks Dave and Djulia.