Content Security Policy (CSP)

CSP ColdFusion Example

Here's how to add a Content-Security-Policy HTTP response header using ColdFusion or CFML.

Example CSP Header using CFML

Use the cfheader tag to write a HTTP response header:

<cfheader name="Content-Security-Policy" value="default-src 'self'"<

Your policy will go inside the value attribute in the example above.

Or using CFScript

cfheader(name="Content-Security-Policy", value="default-src 'self'");

The cfscript syntax above requires CF11 or above.

Using your Web Server

Instead of writing the header directly from your CFML, you can instead use your web server to write the header. For example CSP with nginx or CSP with Apache via htaccess. In IIS you can simply add the header using Response Headers widget in the IIS manager app.

What is a CSP policy?

If you're not sure what default-src 'self'; means, then check out the Content Security Policy reference for details.

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.