Apache – Fixing .htaccess Content-Security-Policy Header 500 Error

After looking at the source code, it appears that the error message is erroneous and misleading. What appears to be causing your problem is that there are several inline JavaScript elements. In other words, the policy you are defining allows content like this:

<script src="/media/myjsfile.js"></script>

But not like this:

<script>function myJsFunction()</script>

In order to allow inline JavaScript (not recommended as this defeats the purpose of using CSP), you need to modify your policy to something like:

script-src 'self' 'unsafe-inline'

Alternatively, you can refactor the code to not use inline JS, or take advantage of the nonce attribute. Keep in mind that support for the nonce attribute is not currently present in all browsers (it is part of the latest spec for Content Security Policy). To my knowledge, it is currently only supported in Chrome.

This is how I managed it using .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

<If "%{HTTPS} == 'on'">
    AuthType Basic
    AuthName "Restricted Files"
    AuthBasicProvider file
    AuthUserFile "/var/www/html/secrets/.passwd"
    Require valid-user
</If>