I'm currently in the process of implementing Content-Security-Policies. But my apache refused to accept the config settings.
The apache2 versions I am currently using are: 2.2.22 and 2.4.7. Neither of those apache2 versions seem to work.
My config settings are:
Header always set Content-Security-Policy: frame-src 'self' *.google.de google.de *.google.com google.com;
Header always set Content-Security-Policy-Report-Only: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://www.myhostname.com/report/report.php;
Header always set X-Content-Security-Policy: frame-src 'self' google.de google.com;
I receive the following error message on either of those settings. If I comment out one line, the error just changes to the following line:
Output of config test was:
AH00526: Syntax error on line 7 of /etc/apache2/conf-enabled/security.conf:
Header has too many arguments
Action 'configtest' failed.
I've tried every possible combination of settings, resulting in the same error messages. So I come to believe, that my apaches don't support those headers? But I haven't found anything on the web regarding this issue.
Or am I just missing something crucial? I have also copied various examples from other pages and they produced the same errors.
Headers in general are working fine. I have a couple of other headers set, which work perfectly:
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Permitted-Cross-Domain-Policies "master-only"
Header always set Cache-Control "no-cache, no-store, must-revalidate"
Header always set Pragma "no-cache"
Header always set Expires "-1"
Thanks you!
