I'm currently in the process of implementing Content-Security-Policies. But my apache refused to accept the config settings.
The apache2 versions I am currently using are: 2.2.22 and 2.4.7. Neither of those apache2 versions seem to work.
My config settings are:
Header always set Content-Security-Policy: frame-src 'self' *.google.de google.de *.google.com google.com;
Header always set Content-Security-Policy-Report-Only: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://www.myhostname.com/report/report.php;
Header always set X-Content-Security-Policy: frame-src 'self' google.de google.com;
I receive the following error message on either of those settings. If I comment out one line, the error just changes to the following line:
Output of config test was:
AH00526: Syntax error on line 7 of /etc/apache2/conf-enabled/security.conf:
Header has too many arguments
Action 'configtest' failed.
I've tried every possible combination of settings, resulting in the same error messages. So I come to believe, that my apaches don't support those headers? But I haven't found anything on the web regarding this issue.
Or am I just missing something crucial? I have also copied various examples from other pages and they produced the same errors.
Headers in general are working fine. I have a couple of other headers set, which work perfectly:
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Permitted-Cross-Domain-Policies "master-only"
Header always set Cache-Control "no-cache, no-store, must-revalidate"
Header always set Pragma "no-cache"
Header always set Expires "-1"
Thanks you!
Best Answer
If the value of the header contains spaces, you must surround it in double quotes. Your examples already do this, but your intended new headers do not.
For example, you tried:
It should be: