Content Security Policy (CSP) for XenForo 2.2

[JasonBrody]

Hi Everyone !

Though there're several thread on this, but I couldn't figure out any appropriate one for latest XF 2.2 release .

So, could anyone provide information on how to configure CSP with latest XF ? (for additional info: I'm using cloudflare & adsense) .

 

[Masetrix]

Hi Everyone !

Though there're several thread on this, but I couldn't figure out any appropriate one for latest XF 2.2 release .

So, could anyone provide information on how to configure CSP with latest XF ? (for additional info: I'm using cloudflare & adsense) .

Since we don't use CF, I can't comment on that. For CSP in general, that was my first point of contact...

Content-Security-Policy (CSP) Header Quick Reference

CSP or Content Security Policy Header Reference Guide and Examples

content-security-policy.com

Migrating from HTTP to HTTPS? Ease the pain with CSP and HSTS!

When migrating your site from HTTP to HTTPS, you can use CSP and HSTS to make sure things go smoothly. Don't worry about mixed content or broken pages.

scotthelme.co.uk

The CSP can be issued in Report Only mode using the Content-Security-Policy-Report-Only header instead. This means the browser will not enforce the policy, preventing it form breaking your site during testing, but you can see any violations or errors the policy would have created in the console. You can also use the report-uri directive to have the browser send you reports when violations occur. This is a great way to get feedback from your policy once it's out in the wild and you can read more details on how to implement that here: CSP and HPKP violation reporting with report-uri.io