How to implement strict Content Security Policy

After running our site through pagespeed.web.dev,
I’d like to know how to solve the following issue:

Ensure CSP is effective against XSS attacks. A strong Content Security Policy (CSP) significantly reduces the risk of cross-site scripting (XSS) attacks.
1- script-src directive is missing. This can allow the execution of unsafe scripts.
2-Missing object-src allows the injection of plugins that execute unsafe scripts. Consider setting object-src to ‘none’ if you can.

Anyone has experience with this ?

I’m using Expanse theme.
Thanks in advance !

To ensure that your Content Security Policy (CSP) is effective against cross-site scripting (XSS) attacks, you will need to add the script-src and object-src directives to your CSP.

Here’s how you can do this:

1. Edit your theme’s theme.liquid file to add the CSP headers:

  
  

​

• Replace ‘self’ and ‘unsafe-inline’ with the appropriate values for your store. You can find more information about the different values you can use in the Content Security Policy documentation.

• Save your changes and publish your theme to apply the CSP headers to your store.

By adding the script-src and object-src directives to your CSP, you can help protect your store against XSS attacks and improve the security of your site.

I hope this helps! Let me know if you have any further questions.

Hi SaaSEnthu,

Can you tell me how to get ‘self’ and ‘unsafe-inline’ value from my shopify store?

Apparently not, I find people love to “half” help on here but are never able to sort out a problem