Step 1: Start with Report-Only Mode
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; report-uri /csp-report-endpoint;" always;Step 2: Analyze Reports
Collect violations from browser reports.
Step 3: Implement Strict Policy
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;Step 4: Allow External Resources (if needed)
add_header Content-Security-Policy "script-src 'self' https://trusted-cdn.com;"Step 5: Test with CSP Evaluator
Use https://csp-evaluator.withgoogle.com/