composer require mvccore/ext-tool-cspExtension to easilly complete Content-Security-Policy HTTP header.
Read more info here:
<?php
include_once('vendor/autoload.php');
use \MvcCore\Ext\Tools\Csp;
$csp = Csp::GetInstance()
->Disallow(
Csp::FETCH_DEFAULT_SRC |
Csp::FETCH_OBJECT_SRC
)
->AllowSelf(
Csp::FETCH_SCRIPT_SRC |
Csp::FETCH_STYLE_SRC |
Csp::FETCH_IMG_SRC |
Csp::FETCH_FONT_SRC |
Csp::FETCH_MEDIA_SRC |
Csp::FETCH_CONNECT_SRC |
Csp::FETCH_FRAME_SRC
)
->AllowHosts(
Csp::FETCH_SCRIPT_SRC | Csp::FETCH_CONNECT_SRC, [
'https://some.tracking-counter-1.com/',
]
)
->AllowHosts(
Csp::FETCH_SCRIPT_SRC, [
'https://cdnjs.com/',
'https://code.jquery.com/',
]
)
->AllowHosts(
Csp::FETCH_IMG_SRC, [
'data:',
]
)
->AllowNonce(Csp::FETCH_SCRIPT_SRC)
->AllowGoogleMaps();
header($csp->GetHeader());
?><!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>CSP</title>
</head>
<body>
<script nonce="<?=$csp->GetNonce()?>" type="text/javascript">
document.write("Safe working javascript code.");
</script>
<hr />
<script type="text/javascript">
document.write("Dangerous not working javascript code.");
</script>
</body>
</html>