+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Feature Requests (https://forum.codeigniter.com/forumdisplay.php?fid=29)
+--- Thread: Improve ContentSecurityPolicy (CSP) (/showthread.php?tid=92334)
Improve ContentSecurityPolicy (CSP) - donpwinston - 01-17-2025
The way CodeIgniter sets CSP headers means they don't affect static resources like css and js and font files. I don't believe it is possible to add CSP for these resources in httpd.conf without overriding the CodeIgniters CSP settings.
Will setting CSP headers in a filter apply to static resources? Tomcat/Java is able to do this.
I'm guessing this is not possible or feasible with PHP. Therefore I believe the content security policy stuff in CodeIgniter should be removed because it is half assed.
httpd.conf is the proper place to set up CSP in a PHP app. It does not work in PHP code.