The content policy can also be enforced in app code. The below is for using the web server to send appropriate headers.

This assumes that the python app will run on the same server where the web server is.

The content policy is set up only to send warnings it will not block anything. Use the directive Content-Security-Policy to actually enforce it. But TEST FIRST!

apt install python3-venv
pip install Flask
source venv/bin/activate

apache:

<VirtualHost *:443>
  ...
  ProxyPass /csp http://localhost:5000/
  ...
  Header set Content-Security-Policy-Report-Only "default-src 'self';script-src 'unsafe-inline' 'unsafe-eval';report-uri csp;"
  ...

nginx:

  ...
  location / {
  ...
  add_header Content-Security-Policy-Report-Only "default-src 'self';script-src 'unsafe-inline' 'unsafe-eval';report-uri csp;";
  ...

csp.py

from flask import Flask, request
 
app = Flask(__name__)
 
@app.route("/", methods=['GET', 'POST'])
def hello_world():
    # we need to force the detection of csp payload as json
    content = request.get_json(force=True)
    print(f"Got json {content}")
    if content:
        return content
    else:
        return "Nothing received"

Export name:

export FLASK_APP=csp

and run:

flask run

You should now get the printed json from CSP when you refresh your website page.

• Debian 10.11
• Ubuntu 20.04.3

• https://stackoverflow.com/questions/20001229/how-to-get-posted-json-in-flask
• https://flask.palletsprojects.com/en/2.0.x/quickstart/
• https://content-security-policy.com/
• https://dropbox.tech/security/on-csp-reporting-and-filtering
• https://blog.rapidsec.com/10-tips-to-build-a-content-security-policy-csp-without-breaking-your-site/