I got on a kick of implementing security-related headers on Initial Charge this week. Most of these were fairly easy to add, simply copy and pasting some code from various tutorials into my .htaccess file and then testing. But Content Security Policy was a major pain. It essentially tells the browser what content is allowed to run on webpages and where it can load that content from.

This add-on made the process much easier. Once installed, I opened the add-on’s menu, enabled recording of my site, then browsed to every type of page I could think of — on the front-end and the backend. The add-on kept a running tab on all the different types of content loaded and where it was loaded from. Then I grabbed the markup provided from within the add-on’s menu and added it to the site’s .htaccess file.

I’m using some declarations that are considered unsafe, notably the ability to run inline JavaScript and CSS. But now that I have the header implemented, I can go through the process of adjusting that content to run from safer sources and then change my security headers accordingly.

➝ Source: addons.mozilla.org