Menu
Should Content-Security-Policy header be in every server response (images, CSS, JS, ...) or only in text/html (.html or HTML output of PHP script)?
971
Since CSP is a client side protection and only processed by browsers for HTML documents (whether static or dynamically created by PHP or such like) there is no need to have this header on anything but text/html documents.
In fact, as CSP policies can be quite large, there is bandwidth savings to be had by only serving it in HTML document responses.
The one exception at present to this is web workers. However if you are not using them then you can ignore them for now.
Note the current CSP draft spec says in the goals section that CSP is used to give control over:
The resources which can be requested (and subsequently embedded or executed) on behalf of a specific Document or Worker
100
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
