Drupal Content Security Policy (CSP)

CSP (Content Protection Policy) is an additional layer of security that aids in the detection and mitigation of certain types of threats, such as Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for a variety of purposes, including data theft, site defacement, and malware distribution.

Adding the Content-Security-Policy HTTP header to a web page and providing settings to restrict what resources the user agent is authorized to load for that page is the process of configuring Content Security Policy. A page that uploads and shows photographs, for example, may accept images from anywhere but limit form actions to a single endpoint. A well-designed Content Security Policy can help protect a page from cross-site scripting. This article demonstrates how to correctly write such headers and includes examples.

A default-src policy directive should be included in your policy as a fallback for other resource types that don't have their own rules. To prohibit inline scripts from running, a policy must include a default-src or script-src directive, as well as the use of eval(). To prevent inline styles from being applied from a <style> element or a style attribute, a policy must include a default-src or style-src directive.

You must configure your web server to return the Content-Security-Policy HTTP header in order to enable CSP in a Drupal site. To enable and configure, download the Content security policy module or use composer: $ composer require 'drupal/csp:1.16'. After installing the drupal module, enable the CSP module in the module page.

The safest approach to configure Content Security Policy without affecting the website is to enable "Report-only." This allows you to see which elements would not be loaded if the policy was activated through your web browser or automatically generated reports.

Report Only

And Click the Enforced tab in your Content Security Policy module settings once all problems have been fixed.


To check content if the Content-Security-Policy is successfully added on HTTP header, go to network tab check response header.


You can also use a command line or script to transfer data, CURL. In your terminal input this following command:

curl –head <site url>


Mitigating cross-site scripting

Preventing and reporting XSS attacks are the CSP's main purpose. XSS attacks take advantage of the browser's faith in the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from.

Mitigating packet sniffing attacks

A server can indicate which protocols are allowed to be used; for example, a server can specify that all content must be loaded via HTTPS (which is desirable from a security aspect). A comprehensive data transmission security plan comprises not only requiring HTTPS for data transfer, but also adding the secure attribute to all cookies and providing automatic redirects from HTTP to HTTPS URLs. Sites can also use the Strict-Transport-Security HTTP header to force browsers to connect to them via an encrypted channel.





Profile picture for user Jhon Manny Loto
Jhon Manny Loto Software Developer

My identity has been shaped in the countryside part of the Philippines! To travel around the world is something I wish of. In spite of the continual struggle, faith and courage were my main motivation to keep going because I believe no matter how you feel, just get up, dress up, show up and never give up. Great things are yet to come. Becoming part of Acret-PH is a great opportunity for me to nurture my knowledge and skills. I started with a zero-knowledge in Drupal, yet it was never a hindrance for me to cope up and learn since my seniors and fellow workmates have been very helpful.