Technical Tip: How to add Content-Security-Policy Header (CSP) to Website hosted in FortiWeb

Prerequisite:

Enable HTTP Header Security Policy.

Content Security Policy (CSP) header can be used to specify the allowed sources for certain types of content to be loaded on a web page.

1. To add the CSP header, navigate to the HTTP Header Security policy page. Create or edit the HTTP Header Security policy.
   
   
2. In the HTTP Header Security Policy, create a new security header.
   
   
   
3. Enable URL Filter if the CSP header is to be applied to match URL only, leave it as default (Disabled) to apply to any URL of the server policy. In the Secure Header Type, select Content-Security-Policy.
   
   
   
4. Insert the CSP value into the Header Value. In this example, the value 'default-src ‘self’' will be used. It means that it will allow only the site’s origin as the contents’ source.
   
   
   
5. Save the settings and in the Web Protection Profile where the Server Policy is desired to add the CSP header, and select HTTP Security Policy with the added CSP header.
   
   
   
6. Test browse the website and check the browser’s developer tool console, the CSP header appears in the Response Headers now.
   
   

Related document: