Format Content-Security-Policy header directives

h5bp/security/content-security-policy.conf

@@ -11,9 +11,9 @@
 # There is no policy that fits all websites, you will have to modify the
 # `Content-Security-Policy` directives in the example depending on your needs.
 #
-# The example policy below aims to:
+#  (*) The example policy below aims to:
 #
-#  (1) Restrict all fetches by default to the origin of the current website by
+#    - Restrict all fetches by default to the origin of the current website by
 #      setting the `default-src` directive to `'self'` - which acts as a
 #      fallback to all "Fetch directives" (https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive).
 #
@@ -24,17 +24,17 @@
 #      This restriction also means that you must explicitly define from which
 #      site(s) your website is allowed to load resources from.
 #
-#  (2) The `<base>` element is not allowed on the website. This is to prevent
+#    - The `<base>` element is not allowed on the website. This is to prevent
 #      attackers from changing the locations of resources loaded from relative
 #      URLs.
 #
 #      If you want to use the `<base>` element, then `base-uri 'self'` can be
 #      used instead.
 #
-#  (3) Form submissions are only allowed from the current website by setting:
+#    - Form submissions are only allowed from the current website by setting:
 #      `form-action 'self'`.
 #
-#  (4) Prevents all websites (including your own) from embedding your webpages
+#    - Prevents all websites (including your own) from embedding your webpages
 #      within e.g. the `<iframe>` or `<object>` element by setting:
 #      `frame-ancestors 'none'`.
 #
@@ -44,14 +44,14 @@
 #      Browsers that support the CSP header should ignore `X-Frame-Options` if
 #      `frame-ancestors` is also specified.
 #
-#  (5) Elements controlled by `object-src` are perhaps coincidentally
+#    - Elements controlled by `object-src` are perhaps coincidentally
 #      considered legacy HTML elements and are not receiving new standardized
 #      features (such as the security attributes `sandbox` or `allow` for
 #      `<iframe>`).
 #      Therefore it is recommended to restrict this fetch-directive (e.g.,
 #      explicitly set `object-src 'none'` if possible).
 #
-#  (6) Forces the browser to treat all the resources that are served over HTTP
+#    - Forces the browser to treat all the resources that are served over HTTP
 #      as if they were loaded securely over HTTPS by setting the
 #      `upgrade-insecure-requests` directive.
 #
@@ -60,7 +60,7 @@
 #      loaded over HTTPS you must include the `Strict-Transport-Security`
 #      header.
 #
-#  (7) The `Content-Security-Policy` header is included in all responses
+#    - The `Content-Security-Policy` header is included in all responses
 #      that are able to execute scripting. This includes the commonly used
 #      file types: HTML, XML and PDF documents. Although Javascript files
 #      can not execute script in a "browsing context", they are still included
@@ -82,6 +82,13 @@
 # https://content-security-policy.com/
 
 <IfModule mod_headers.c>
-    #                                          (1)                 (2)              (3)                 (4)                     (5)                (6)                                                 (7)
-    Header always set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
+	# (*)
+    Header always set Content-Security-Policy "\
+        default-src 'self';\
+        base-uri 'none';\
+        form-action 'self';\
+        frame-ancestors 'none';\
+        object-src 'none';\
+        upgrade-insecure-requests;\
+        " "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
 </IfModule>