Content Security Policy (CSP)

CSP ColdFusion Example

Here's how to add a Content-Security-Policy HTTP response header using ColdFusion or CFML.

Example CSP Header using CFML

Use the cfheader tag to write a HTTP response header:

<cfheader name="Content-Security-Policy" value="default-src 'self'"<

Your policy will go inside the value attribute in the example above.

Or using CFScript

cfheader(name="Content-Security-Policy", value="default-src 'self'");

The cfscript syntax above requires CF11 or above.

Using your Web Server

Instead of writing the header directly from your CFML, you can instead use your web server to write the header. For example CSP with nginx or CSP with Apache via htaccess. In IIS you can simply add the header using Response Headers widget in the IIS manager app.

What is a CSP policy?

If you're not sure what default-src 'self'; means, then check out the Content Security Policy reference for details.