How do I implement Content-Security-Policy with Infinityfree?

my website URL is

I have been round and round looking for a way to implement Content-Security-Policy for my website. Is there a place here on Infinityfree to do this? And, if there is, is there documentation on how to do so? From what I have researched this is a tricky area which could bring down my website and this is not what I need. Cloudflare has a method with Cloudflare Workers but that is a whole other area I would have to learn. It has not progressed far.

I’ve also read that without a proper CSP google treats your website as second class.
I have tried to do a test run with a tag complete with nonce but it fails WebPageTest and other diagnostics with a D in Security. I get essentially no error messages within the Chrome DevTools, however so I am stymied. I have partial protection with Cloudflare but only for a couple of components.

Any help in this area would be appreciated or guidance to someplace with real answers and real-world examples rather than the overly simplistic ones or those that use unsafe-inline etc which defeats the whole purpose. I don’t have any database that would be vulnerable as of yet but would like that option in the future.

Running the CSP evaluator extension gives me an extensive listing which I will show here. This is what I’ve implemented in the tag for the content attribute

`default-src ‘self’ ;

script-src 'self' 'nonce-` + nonce + `' 'strict-dynamic';

style-src 'report-sample' 'self';

object-src 'none';

base-uri 'self';

connect-src 'self';

font-src 'self';

frame-src 'self';

img-src 'self';

manifest-src 'self';  

media-src 'self'; 

The matomo URL is the only one thatChrome throws up on right now but there’s nothing in the HTMl about matomo, nor in Google Tag Manager. I’m not sure where it is.


You’re right, CSP is tough, but MDN has a good few articles about it. Content Security Policy (CSP) - HTTP | MDN
Also, I have tinkered with CSP and your list looks fine, just needs a bit of updating/fixing. I did fix your nonce in script-src.
In your .htaccess, you can type

Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-*' 'strict-dynamic'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self';"

I know it is long, but it is all that you included. Please note the quotation marks, otherwise you will get a 500. Ultimately, I’m not sure if it is worth your time for CSP.


Thank you so much for taking the time to take a look at this for me. I’m really trying to learn this stuff and it has been frustrating. Since my original post I’ve found a bit more information and resources such as setting the nonce from the Server via ‘nonce-%{CSP_NONCE}e’ and the whole concept of Server Side Incudes was foreign to me as well. Even if CSP doesn’t work, there are other cool things I could use .htaccess and SSI for such as moving my menus there – if I can ever get any of it figured out. To make a long story short, I abandoned the tag approach to see where I went wrong with .htaccess but did not pull the trigger until today and I get the 500 error you just mentioned. The quotes are there as you warned, but that did not save it. I got “enable display errors in CPANEL” so I found that and switched it on. That did not work or show anything differently in the display.

Inside the .htaccess file the CSP Header looks like this (just showing the beginning and the end of it) – quotes included beginning and end.

Header add Report-To: {“group”:“default”,“max_age”:10886400,“endpoints”:[{“url”:“”}],“include_subdomains”:true}

Header add Content-Security-Policy-Report-Only
"default-src ‘self’ ;

script-src 'self' 'nonce-%{CSP_NONCE}e' 'strict-dynamic'   *******

media-src ‘self’;


Regarding CSP in general, I thought it would be good since I think Google dings sites for not having it is this correct? I don’t even have a database hooked up since I don’t have a current need, but would like to at some point. There’s nothing of value there for anyone to grab or contaminate. Thee is still just malicious vandalism, I guess. I’m sure there are other nasty things they could do to me but I’m still new to this.

I can be reached at [email protected] if that is easier.



This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.