CodeIgniter Forums
how to configure CSP correctly - Printable Version

+- CodeIgniter Forums (
+-- Forum: CodeIgniter 4 (
+--- Forum: CodeIgniter 4 Support (
+--- Thread: how to configure CSP correctly (/thread-68403.html)

how to configure CSP correctly - puschie - 07-06-2017

Hey, i was trying to use the Content Security Policy feature but i always get the (console) error that your settings has blocked a resource on self

i tied different settings with absolute path and wildcard use ( localhost/[...]/css/* ) and the default self but everything gives the same result.

can someone show me how correct settings should looks like ?

( i also use {csp-script-nonce} in inline blocks but also this result in "Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ([...]), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback" )

Thx Smile

RE: how to configure CSP correctly - kilishan - 07-06-2017

Hmm. It's been a while since I wrote that code, or read those specs. I just tried a quick example and found at least one problem. Will try to dig into the whole thing tonight and post a simple example, fix bugs, etc.

RE: how to configure CSP correctly - kilishan - 07-07-2017

Took me a little longer than expected, but I think I've squashed the bugs with CSP. Pull down the latest source and it should be working for you. Here's a quick example to get you started:

First off - turn CSP on in Config/App.php

public $CSPEnabled = true;

Now refresh your page and you'll see lots of errors in your browser's console. If you have the debug toolbar on - you'll see even more. Please note that the toolbar is not compatible with CSP and should be turned off when you're tuning your CSP rules.

Assuming you have a simple little HTML page like this (which you wouldn't but we have to start somewhere):

<!doctype html>
<link rel="stylesheet" href="" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<style {csp-style-nonce}>
body { background: #efefef; }


You would need to add the following in your base controller, or wherever you want, to get things passing the CSP restrictions:


setDefaultSrc isn't really required for this, but will make things a little simpler for you in most cases.

addStyleSrc is required to allow the external Bootstrap stylesheet.
addFontSrc is required to allow Bootstrap to load its fonts.

Because the {csp-style-nonce} tag is in the style tag, a nonce will be automatically created for you and inserted into the header. With these rules, you'll end up with a generated header like:

Content-Security-Policy:connect-src 'self'; default-src 'self'; font-src; img-src 'self'; script-src 'self'; style-src 'self' 'nonce-1cb22ae4b1a5c58a66415811';

Hope that helps!

Be sure to read the articles linked in the docs for more information. It can get a bit complex.

RE: how to configure CSP correctly - puschie - 07-09-2017

Great work Smile
so i dont have to worry about the errors ( shown in console ) ?
still have problems to use local fonts - i guess its an understanding problem on my side^^ ( they are successfully loaded but not used by the css rules in html )

RE: how to configure CSP correctly - kilishan - 07-10-2017

The errors that show in the console could be from the debug toolbar, or could be from your own code. They are valid errors. However, the only way to know is to turn the toolbar off, and then scan your site looking for errors. Or create a controller to receive and log debug info from the CSP function itself, using the reportOnly and setReportURI settings.

Fonts require the fontSrc setting to be set to where you expect fonts to come from. But, yes, it's a fairly complex topic that I can't begin to answer all of the questions for Smile

RE: how to configure CSP correctly - frankenestain - 10-12-2018

There's no app.php in config !

RE: how to configure CSP correctly - ttwist - 11-25-2019

(10-12-2018, 11:52 AM)frankenestain Wrote: There's no app.php in config !

There is it, in CodeIgniter 4, can anybody help with V3?

RE: how to configure CSP correctly - egranty - 11-23-2020

(11-25-2019, 11:17 PM)ttwist Wrote:
(10-12-2018, 11:52 AM)frankenestain Wrote: There's no app.php in config !

There is it, in CodeIgniter 4, can anybody help with V3?

Yeah, CI 3 does not have built-in support for Content Security Policy (CSP), but CSP is just HTTP header.

1. You are able to publish any HTTP headers in any version of CodeIgniter by use $response->setHeader() method:
$this->response->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inine';");

2. If you are not looking for easy ways and wish to have some convenience of CSP setup, it's possible to import class ContentSecurityPolicy.php from CI4 to CI3. You just need to change some PHP7 constructs like:
PHP Code:
$explicitReporting ?? $this->reportOnly 
 to PHP5:
PHP Code:
is_null($explicitReporting)  $this->reportOnly $explicitReporting 

Anyway you need to modify class ContentSecurityPolicy.php even if you use CI4 - this class is oriented outdated Content Security Policy level 2 spec,, therefore it does not support a lot of CSP3 directives and tokens.