Adding Content-Security-Policy as a Header


I need to add a Content Security Policy to my server that’s using NGINX.

The header is to filter when the my website can be put in an iframe. I see that Cloudflare has a x-Frame-Option (it is not specified in my nginx.conf file) which is an outdated method and most browser now reccommnd using CSP. But even with the X-Frame-Option set my site can still be put in an iframe.

This got me thinking do I need to put the CSP through CloudFlare, if is possible. If I put it in my config file will this cause an issue with the X-Frame-Option and if it does how can I turn it off.

My knowledge is limited in this topic so if possible please advice. I know that the CSP works as I tested it somewhere else and it escapes from iframes not set by a verified source.


Can you post the URL and the configured directives?


You can do that with Cloudflare Workers.

This script does exactly that.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.