Apache Lounge


About Forum Index Downloads Search Register Log in  RSS Apache Lounge  

Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.



A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.

Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Content-Security-Policy

Joined: 17 Apr 2015
Posts: 30
Location: US

PostPosted: Thu 28 May '20 15:23    Post subject: Content-Security-Policy Reply with quote

Developer is stating that browser is redirecting to ssl page (upgrade-insecure-requests: 1) on a http css url.

So, https://content-security-policy.com/

I tried adding to Apache config

Header set Content-Security-Policy "style-src 'self';"

But still seems to redirect to ssl.
Back to top

Joined: 16 Oct 2007
Posts: 2250
Location: Sun Diego, USA

PostPosted: Thu 28 May '20 20:16    Post subject: Reply with quote

Content security policy has nothing to do with http/https. It only tells the browser where it's allowed to pull things from. If the browser is told to get something only via https but it's coming from http, it just will not get the resource.

That said, does the site have a redirect/rewrite to push http requests to https, something like

<VirtualHost *:80>
  ServerName www.mydomain.com
  RewriteEngine on
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

That will force every request to http://www.mydomain.com to https, regardless of what file is being called.

Then there is this header, quite powerful I might add.
strict-transport-security: max-age=31536000; which will tell the browser to get every request to the site from https for 31536000 seconds (365 days).

Lastly, if it is an https site to begin with, everything on it should be served by https, images/video/css/javascript, you name it. Browsers will warn when there are items coming from a non-https source. The degree to which depends on the browser. Why you ask, it has to do with trust. http cannot be trusted and https can to the degree the certificate states. So if your have https in the browsers address bar then it should be trusted. If you're pulling stuff from non-https which it should not trust, this leaves room for evil doers to do evil while the visitor thinks all is good and dandy.
Back to top

Reply to topic   Topic: Content-Security-Policy View previous topic :: View next topic
Post new topic   Forum Index -> Apache