Skip to content
Header Hawk

Apache CSP Integration

Add CSP headers to your Apache configuration.

Prerequisites

Section titled “Prerequisites”
  • Apache 2.2+ with mod_headers enabled
  • Access to httpd.conf, .htaccess, or virtual host configuration

Enable mod_headers

Section titled “Enable mod_headers”

Ensure mod_headers is enabled:

Terminal window
# Debian/Ubuntu
sudo a2enmod headers
sudo systemctl restart apache2


# RHEL/CentOS
# Usually enabled by default, check httpd.conf

Quick Start

Section titled “Quick Start”

Add to your virtual host or .htaccess:

# Report-only mode (recommended to start)
Header set Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://ingest.headerhawk.com/csp/YOUR_SITE_ID"

Enforcement Mode

Section titled “Enforcement Mode”

Once you’ve tuned your policy:

Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri https://ingest.headerhawk.com/csp/YOUR_SITE_ID"

Complete Example

Section titled “Complete Example”
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html


    # CSP Header
    Header set Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' https://api.example.com; report-uri https://ingest.headerhawk.com/csp/YOUR_SITE_ID"


    # Other security headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"


    # SSL configuration
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem
</VirtualHost>

Configuration Options

Section titled “Configuration Options”

Header Directives

Section titled “Header Directives”
DirectiveBehavior
Header setSets header, overwriting any existing value
Header appendAppends to existing header
Header addAdds header even if one already exists
Header always setSets header for all responses (including errors)

Using .htaccess

Section titled “Using .htaccess”

For directory-level configuration:

.htaccess
<IfModule mod_headers.c>
    Header set Content-Security-Policy-Report-Only "default-src 'self'; report-uri https://ingest.headerhawk.com/csp/YOUR_SITE_ID"
</IfModule>

Per-Directory Policies

Section titled “Per-Directory Policies”
<Directory /var/www/html/admin>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
</Directory>


<Directory /var/www/html/public>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'"
</Directory>

Troubleshooting

Section titled “Troubleshooting”

Headers Not Appearing

Section titled “Headers Not Appearing”
  1. Check if mod_headers is enabled: apachectl -M | grep headers
  2. Verify AllowOverride if using .htaccess
  3. Check Apache error logs

Syntax Errors

Section titled “Syntax Errors”

Test configuration before restarting:

Terminal window
apachectl configtest

Verification

Section titled “Verification”

Test your configuration:

Terminal window
curl -I https://your-site.com | grep -i content-security-policy

Next Steps

Section titled “Next Steps”