The Content-Security-Policy header allows your Drupal site to inform browsers of trusted sources for JavaScript, CSS, and other external resources. This adds a security layer to detect and mitigate the risk of Cross Site Scripting (XSS), data injection, and other vulnerabilities.
## Installation
Enable the module and then configure it at `/admin/config/system/csp`.
Test your settings using **Report Only** before applying them in **Enforced**.
**Enforced** will stop scripts that violate the rules from executing, so test first.
You can also enable the **Content Security Policy Extras** module to harden the security of Drupal core's AJAX.
## How to specify a hash for a script
If you are not using `unsafe-inline`, then you can add hashes for your scripts to CSP.
This is supported but NOT RECOMMENDED because Drupal core currently requires `unsafe-inline` for important features (like CKEditor).
If you still want to use hashes, you can specify a hash in the following format: '{hashAlgorithm}-{base64-value}'
- The wrapping single quotes are required.
- The valid hashing algorithms are sha256, sha384, or sha512.
- The hash value must be base64 encoded.
- All characters within the script (or style) element, including leading and trailing whitespace, must be used to calculate the hash value.
If your browser provides a hash value in its CSP error message in the console, you should be able to copy that value. Report-URI.com also provides a tool to generate hashes for arbitrary values: https://report-uri.com/home/hash