The content policy can also be enforced in app code. The below is for using the web server to send appropriate headers.
This assumes that the python app will run on the same server where the web server is.
The content policy is set up only to send warnings it will not block anything. Use the directive
Content-Security-Policy
to actually enforce it. But TEST FIRST!
apt install python3-venv pip install Flask source venv/bin/activate
apache:
<VirtualHost *:443> ... ProxyPass /csp http://localhost:5000/ ... Header set Content-Security-Policy-Report-Only "default-src 'self';script-src 'unsafe-inline' 'unsafe-eval';report-uri csp;" ...
nginx:
... location / { ... add_header Content-Security-Policy-Report-Only "default-src 'self';script-src 'unsafe-inline' 'unsafe-eval';report-uri csp;"; ...
from flask import Flask, request app = Flask(__name__) @app.route("/", methods=['GET', 'POST']) def hello_world(): # we need to force the detection of csp payload as json content = request.get_json(force=True) print(f"Got json {content}") if content: return content else: return "Nothing received"
Export name:
export FLASK_APP=csp
and run:
flask run
You should now get the printed json from CSP when you refresh your website page.