Adding Content-Security-Policy as a Header


I need to add a Content Security Policy to my server that’s using NGINX.

The header is to filter when the my website can be put in an iframe. I see that Cloudflare has a x-Frame-Option (it is not specified in my nginx.conf file) which is an outdated method and most browser now reccommnd using CSP. But even with the X-Frame-Option set my site can still be put in an iframe.

This got me thinking do I need to put the CSP through CloudFlare, if is possible. If I put it in my config file will this cause an issue with the X-Frame-Option and if it does how can I turn it off.

My knowledge is limited in this topic so if possible please advice. I know that the CSP works as I tested it somewhere else and it escapes from iframes not set by a verified source.


Can you post the URL and the configured directives?


You can do that with Cloudflare Workers.

This script does exactly that.