Add Content-Security-Policy (CSP) in Drupal 8

The Content-Security-Policy Drupal module helps you configure a Header set Content-Security-Policy header to specify what sources your website should load scripts from – (e.g. your own website, embedded YouTube video, and analytics trackers). This forces supporting web browsers to ignore other external requests to mitigate cross-site scripting (XSS) and other code injection attacks.

There are three parts to adding CSP for Drupal security:

• Add Content-Security-Policy Module
• Configure Report-Only
• Enforce CSP

Maintain high performance and security with our Managed Drupal Hosting.

Configure Content-Security-Policy

1. Login to Drupal.
2. Install the Drupal module using the Content-Security-Policy download link.
3. Click Enable newly added modules.
4. At the bottom, under Other, Check the box beside Content Security Policy.
5. Click Install at the bottom.
6. Click Configuration at the top.
7. Under System, Click Content Security Policy.

Report-Only

“Report-Only” is the safest way to configure Content Security Policy without disrupting the website. This allows you to learn what elements wouldn’t be loaded if the policy was enabled via your web browser or auto-generated reports.

1. View your website.
2. Open your web browser’s Inspect Element feature.
3. Check the Console tab to see what’s being blocked by CSP.
4. Make changes as needed until all errors are removed.

Enforce CSP

Enforced policies will block unspecified scripts.

1. Once all errors are removed, in your Content Security Policy module settings, click the Enforced tab.
2. Click Enable ‘Enforced’.
3. Add the options from the Report-Only section there.
4. Click Save configuration.
5. Test your site by unchecking the Report-Only option.
6. Make changes as needed until all errors are removed.

Enable HTTP Strict Transport Security (HSTS) in your .htaccess file or CloudFlare for more security.