---
title: "Add Content-Security-Policy (CSP) in Drupal 8"
description: "The Content-Security-Policy Drupal module helps you configure a Header set Content-Security-Policy header to specify what sources your website should load scripts from - (e.g. your own website,..."
url: https://www.inmotionhosting.com/support/edu/drupal/content-security-policy-csp-drupal-8/
date: 2019-12-03
modified: 2023-09-14
author: "InMotion Hosting Contributor"
categories: ["Drupal"]
type: post
lang: en
---

# Add Content-Security-Policy (CSP) in Drupal 8

The [Content-Security-Policy Drupal module](https://www.drupal.org/project/csp) helps you configure a `Header set Content-Security-Policy` header to specify what sources your website should load scripts from – (e.g. your own website, embedded [YouTube video](https://www.inmotionhosting.com/support/website/website-design/add-youtube-video/), and [analytics trackers](https://www.inmotionhosting.com/support/website/analytics/choose-the-best-analytics-tool/)). This forces [supporting web browsers](https://caniuse.com/#search=content-security-policy) to ignore other external requests to mitigate cross-site scripting (XSS) and other code injection attacks.

There are three parts to adding CSP for Drupal security:

- [Add Content-Security-Policy Module](#configure)
- [Configure Report-Only](#report)
- [Enforce CSP](#enforce)

Maintain high performance and security with our [Managed Drupal Hosting](https://www.inmotionhosting.com/drupal-hosting).

## Configure Content-Security-Policy

1. [Login to Drupal](https://www.inmotionhosting.com/support/edu/drupal/how-to-log-into-the-drupal-admin-dashboard/).
2. [Install the Drupal module](https://www.inmotionhosting.com/support/edu/drupal/install-2/#admin) using the [Content-Security-Policy download link](https://www.drupal.org/project/csp).
3. Click **Enable newly added modules**.
4. At the bottom, under *Other*, Check the box beside **Content Security Policy**.
5. Click **Install** at the bottom.
6. Click **Configuration** at the top.
7. Under *System*, Click **Content Security Policy**.

## Report-Only

“Report-Only” is the safest way to configure Content Security Policy without disrupting the website. This allows you to learn what elements wouldn’t be loaded if the policy was enabled via your web browser or auto-generated reports.

1. View your website.
2. Open your web browser’s **Inspect Element** feature.
3. Check the **Console** tab to see what’s being blocked by CSP.
4. Make changes as needed until all errors are removed.

![](/support/wp-content/uploads/2019/11/drupal-content-security-policy-default-scaled.png)

![](/support/wp-content/uploads/2019/11/drupal-csp-inspect-element-1.png)

## Enforce CSP

Enforced policies will block unspecified scripts.

1. Once all errors are removed, in your Content Security Policy module settings, click the **Enforced** tab.
2. Click **Enable ‘Enforced’**.
3. Add the options from the *Report-Only* section there.
4. Click **Save configuration**.
5. Test your site by unchecking the Report-Only option.
6. Make changes as needed until all errors are removed.

![](/support/wp-content/uploads/2019/11/drupal-csp-enforced-1024x382.png)

Enable [HTTP Strict Transport Security (HSTS)](https://www.inmotionhosting.com/support/website/force-hsts-using-htaccess/) in your .htaccess file or [CloudFlare](https://www.inmotionhosting.com/support/website/hsts-using-cloudflare/) for more security.
