Skip to content
ASP.NET module for easily adding Content Security Policy through web.config. See readme below for syntax
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


  • 2012-08-28: Support the 1.0 version (but stay compatible with firefox) - This version will break old configs replacing options with allowedScriptSources unsafeAllowEval and unsafeAllowInline. allowedXhrSources is now allowedConnectSources
  • 2011-09-29: Support the latest version from W3C, but stay compatible with firefox - adding 'unsafe-inline' and 'unsafe-eval'
  • 2011-06-21: Support the latest version from W3C, but stay compatible with earlier versions in firefox and chrome
  • 2011-06-15: Support the Chrome version as well, allthough this support is a bit experimental from Chrome's side
  • Allow the specification of the content security policy as a part of web.config
  • Allow the policy to be used as an HttpModule so there is no need to add to pages etc. to enable it


Verified via webtest project so far: img-src, object-src, script-src, style-src, frame-src

Web.config policy:

<contentSecurityPolicy reportOnly="true" reportUri="csp-reporting/">
    <allowedSources allowSelf="true" unsafeAllowInline="true" />
        <add source="*" />
    <allowedScriptSources allowSelf="true" unsafeAllowEval="true">
        <add source="*" />

Web.config for HttpModule:

    <add name="ContentSecurityPolicyHttpModule" type="ContentSecurityPolicy.Net.PolicyHttpModule, ContentSecurityPolicy.Net"/>

Abstract HTTP handler for receiving CSP failure reports

Code for handler:

public class ReportHandler : AbstractReportHandler
    protected override void HandleReport(Report report)
        //Store data here

Web.config policy definition for reportUri:

<contentSecurityPolicy reportUri="csp-reporting/">

Web.config httphandler config:

    <add path="csp-reporting/" verb="POST" type="ContentSecurityPolicy.Net.WebTest.ReportHandler, ContentSecurityPolicy.Net.WebTest"/>
Something went wrong with that request. Please try again.