📋 فهرست مطالب
- CSP چیست؟
- پیکربندی محیط Local/Docker
- پیکربندی روی سرور Production
- توضیحات Directives
- تست و بررسی
- Troubleshooting
🔐 CSP چیست؟
Content Security Policy (CSP) یک لایه امنیتی است که از حملات زیر جلوگیری میکند:
- ✅ XSS (Cross-Site Scripting) - حملات تزریق اسکریپت
- ✅ Data Injection - تزریق دادههای مخرب
- ✅ Clickjacking - حملات کلیکجکینگ
چرا HTTP Header؟
❌ Bad: <meta http-equiv="Content-Security-Policy" content="...">
✅ Good: HTTP Response Header
دلایل استفاده از HTTP Header:
- 🔒 امنتر: قبل از پردازش HTML اعمال میشود
- ⚡ سریعتر: بدون نیاز به parse کردن HTML
- 💪 قدرتمندتر: تمام directive های CSP قابل استفاده
- ✅ توصیه PageSpeed: Google از header استفاده را توصیه میکند
🛠️ پیکربندی محیط Local/Docker
⚠️ توجه: این پیکربندی برای محیط Local/Docker است.
برای Production Server، به بخش پیکربندی روی سرور مراجعه کنید.
تغییرات انجام شده:
1. حذف Meta Tag از header.php ❌
قبل:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
بعد:
<!-- Meta tag CSP حذف شد - از HTTP Header استفاده میشود -->
2. اضافه شدن CSP Header در nginx/default.conf ✅
# nginx/default.conf (خط 41-49)
server {
listen 443 ssl;
server_name localhost;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# 🛡️ Content Security Policy (CSP)
# Prevents XSS attacks and code injection
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com https://cdn.jsdelivr.net https://unpkg.com https://code.highcharts.com https://www.googletagmanager.com https://www.google-analytics.com https://static.cloudflareinsights.com https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: https: http:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://cloudflareinsights.com https://xpay.co; frame-src 'self' https://www.google.com https://challenges.cloudflare.com; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;" always;
}
Restart Docker:
cd C:\Docker\xpay
docker-compose restart nginx
🚀 پیکربندی روی سرور Production
مخاطبان: تیم DevOps و SEO
محیط: Production Server (Apache/Nginx/cPanel/Plesk)
📌 قبل از شروع
- ✅ SSL Certificate معتبر نصب است
- ✅ تمام external scripts شناسایی شدهاند
- ✅ Analytics و tracking codes لیست شدهاند
- ✅ CDN domains مشخص شدهاند
🔧 پیکربندی بر اساس Web Server
1️⃣ Nginx (توصیه شده)
فایل: /etc/nginx/sites-available/your-domain.conf
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# SSL configs...
ssl_certificate /path/to/ssl/fullchain.pem;
ssl_certificate_key /path/to/ssl/privkey.pem;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# 🛡️ Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com https://cdn.jsdelivr.net https://unpkg.com https://code.highcharts.com https://www.googletagmanager.com https://www.google-analytics.com https://static.cloudflareinsights.com https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: https: http:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://cloudflareinsights.com https://xpay.co; frame-src 'self' https://www.google.com https://challenges.cloudflare.com; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;" always;
# بقیه تنظیمات...
}
اعمال تغییرات:
sudo nginx -t
sudo systemctl reload nginx
2️⃣ Apache
فایل: /etc/apache2/sites-available/your-domain.conf یا .htaccess
روش 1: در VirtualHost
<VirtualHost *:443>
ServerName example.com
SSLEngine on
# SSL configs...
# 🛡️ Content Security Policy
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com https://cdn.jsdelivr.net https://unpkg.com https://code.highcharts.com https://www.googletagmanager.com https://www.google-analytics.com https://static.cloudflareinsights.com https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: https: http:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://cloudflareinsights.com https://xpay.co; frame-src 'self' https://www.google.com https://challenges.cloudflare.com; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;"
</VirtualHost>
روش 2: در .htaccess
<IfModule mod_headers.c>
# فقط برای HTTPS
<If "%{HTTPS} == 'on'">
# 🛡️ Content Security Policy
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com https://cdn.jsdelivr.net https://unpkg.com https://code.highcharts.com https://www.googletagmanager.com https://www.google-analytics.com https://static.cloudflareinsights.com https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: https: http:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://cloudflareinsights.com https://xpay.co; frame-src 'self' https://www.google.com https://challenges.cloudflare.com; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;"
</If>
</IfModule>
اعمال:
# فعالسازی mod_headers
sudo a2enmod headers
sudo apache2ctl configtest
sudo systemctl reload apache2
3️⃣ cPanel / WHM
روش 1: از طریق .htaccess
- وارد cPanel → File Manager شوید
- فایل
.htaccessدر root directory را باز کنید - کد زیر را اضافه کنید:
<IfModule mod_headers.c>
<If "%{HTTPS} == 'on'">
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com https://cdn.jsdelivr.net https://unpkg.com https://code.highcharts.com https://www.googletagmanager.com https://www.google-analytics.com https://static.cloudflareinsights.com https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: https: http:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://cloudflareinsights.com https://xpay.co; frame-src 'self' https://www.google.com https://challenges.cloudflare.com; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;"
</If>
</IfModule>
روش 2: از طریق WHM (دسترسی root)
- وارد WHM شوید
- Service Configuration → Apache Configuration → Include Editor
- Pre VirtualHost Include → All Versions
- کد:
<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com https://cdn.jsdelivr.net https://unpkg.com https://code.highcharts.com https://www.googletagmanager.com https://www.google-analytics.com https://static.cloudflareinsights.com https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: https: http:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://cloudflareinsights.com https://xpay.co; frame-src 'self' https://www.google.com https://challenges.cloudflare.com; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;"
</IfModule>
- Save و Rebuild
- Restart:
/scripts/restartsrv_httpd
4️⃣ Plesk
- وارد Plesk Panel شوید
- Domains → انتخاب domain
- Apache & nginx Settings
- در Additional directives for HTTP و Additional directives for HTTPS:
# فقط در بخش HTTPS
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com https://cdn.jsdelivr.net https://unpkg.com https://code.highcharts.com https://www.googletagmanager.com https://www.google-analytics.com https://static.cloudflareinsights.com https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: https: http:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://cloudflareinsights.com https://xpay.co; frame-src 'self' https://www.google.com https://challenges.cloudflare.com; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;"
- OK → Apply
5️⃣ Cloudflare (اگر استفاده میکنید)
- وارد Cloudflare Dashboard شوید
- Security → Settings
- HTTP Headers
- Add Header:
- Name:
Content-Security-Policy - Value: (کد CSP کامل از بالا)
- Name:
یا از Transform Rules:
- Rules → Transform Rules → Modify Response Header
- Create rule
- Set header:
Content-Security-Policy - Value: (کد CSP کامل)
📊 توضیحات Directives
CSP کامل اعمال شده:
📊 توضیحات Directives
CSP کامل اعمال شده:
Content-Security-Policy:
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com https://cdn.jsdelivr.net https://unpkg.com https://code.highcharts.com https://www.googletagmanager.com https://www.google-analytics.com https://static.cloudflareinsights.com https://challenges.cloudflare.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net;
font-src 'self' https://fonts.gstatic.com data:;
img-src 'self' data: https: http:;
connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://cloudflareinsights.com https://xpay.co;
frame-src 'self' https://www.google.com https://challenges.cloudflare.com;
object-src 'none';
base-uri 'self';
form-action 'self';
upgrade-insecure-requests;
1️⃣ default-src 'self'
پیشفرض برای همه منابع
default-src 'self'
- 🔒 فقط از خود دامنه (same-origin) مجاز است
- ✅ امنترین حالت پیشفرض
- 📝 سایر directive ها این را override میکنند
2️⃣ script-src ⚠️ HIGH Priority
کنترل اجرای JavaScript
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://www.google.com
https://www.gstatic.com
https://cdn.jsdelivr.net
https://unpkg.com
https://code.highcharts.com
https://www.googletagmanager.com
https://www.google-analytics.com
https://static.cloudflareinsights.com
https://challenges.cloudflare.com
توضیحات:
'self'- اسکریپتهای خود سایت'unsafe-inline'- inline scripts (مورد نیاز برای Google Tag Manager)'unsafe-eval'- eval() و Function() (مورد نیاز برای analytics)
Domains اضافه شده:
- Google: reCAPTCHA و Analytics
- jsdelivr/unpkg: CDN libraries
- Highcharts: نمودارها
- Cloudflare: Challenge pages و analytics
⚠️ نکته امنیتی: 'unsafe-inline' و 'unsafe-eval' خطرناک هستند! در نسخه بعدی از nonces استفاده کنید.
3️⃣ object-src 'none' ✅ HIGH Priority
مسدود کردن Plugins
object-src 'none'
- 🚫 مسدود کردن
<object>,<embed>,<applet> - ✅ حیاتی برای امنیت - جلوگیری از Flash/Java injection
- 🛡️ یکی از مهمترین directive ها
این directive مشکل PageSpeed را برطرف میکند!
4️⃣ style-src
کنترل CSS
style-src 'self' 'unsafe-inline'
https://fonts.googleapis.com
https://cdn.jsdelivr.net
'self'- CSS های خود سایت'unsafe-inline'- inline styles (مورد نیاز برای dynamic styles)- Google Fonts - برای فونتهای فارسی
- jsdelivr - CDN styles
5️⃣ font-src
کنترل فونتها
font-src 'self' https://fonts.gstatic.com data:
'self'- فونتهای لوکال- fonts.gstatic.com - Google Fonts
data:- فونتهای base64 encoded
6️⃣ img-src
کنترل تصاویر
img-src 'self' data: https: http:
'self'- تصاویر خود سایتdata:- base64 imageshttps:- همه تصاویر HTTPS (برای user-generated content)http:- backward compatibility (میتوان حذف کرد)
7️⃣ connect-src
کنترل AJAX و WebSocket
connect-src 'self'
https://www.google-analytics.com
https://region1.google-analytics.com
https://cloudflareinsights.com
https://xpay.co
استفاده:
- API calls
- Analytics tracking
- WebSocket connections
- fetch() و XMLHttpRequest
Domains:
- Google Analytics - tracking
- Cloudflare - insights
- xpay.co - API calls برای نرخها
8️⃣ frame-src
کنترل iframes
frame-src 'self'
https://www.google.com
https://challenges.cloudflare.com
'self'- iframes از خود سایت- Google - reCAPTCHA
- Cloudflare - challenge pages
9️⃣ base-uri 'self'
محدود کردن <base> tag
base-uri 'self'
- 🔒 جلوگیری از حمله base tag hijacking
- ✅ فقط از خود دامنه
🔟 form-action 'self'
محدود کردن مقصد فرمها
form-action 'self'
- 🔒 فرمها فقط به خود دامنه ارسال میشوند
- ✅ جلوگیری از phishing attacks
1️⃣1️⃣ upgrade-insecure-requests
ارتقا خودکار HTTP به HTTPS
upgrade-insecure-requests
- ⚡ همه درخواستهای HTTP به HTTPS تبدیل میشوند
- ✅ جایگزین meta tag قبلی
- 🔒 هماهنگ با HSTS
✅ تست و بررسی
1. تست با cURL
# تست CSP header
curl -I https://your-domain.com | grep -i "content-security-policy"
# خروجی مورد انتظار:
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'...
2. تست در مرورگر
Chrome DevTools:
F12→ Network tab- Reload صفحه
- کلیک روی اولین request
- Response Headers → بررسی
content-security-policy
Console Tab:
- بررسی CSP Violations (اگر هست)
- باید هیچ error قرمزی نباشد
3. تست با Security Headers
https://securityheaders.com/?q=https://your-domain.com
امتیاز مورد انتظار:
- 🅰️ Grade A یا A+
- ✅ CSP header detected
- ✅ CSP includes script-src
- ✅ CSP includes object-src
4. تست PageSpeed Insights
https://pagespeed.web.dev/analysis?url=https://your-domain.com
قبل از CSP:
❌ Ensure CSP is effective against XSS attacks
- script-src directive is missing (High)
- object-src missing (High)
- CSP in meta tag (Medium)
بعد از CSP:
✅ CSP is properly configured
(این warning دیگر نمایش داده نمیشود)
5. تست CSP Evaluator
https://csp-evaluator.withgoogle.com/
- CSP خود را paste کنید
- Evaluate کلیک کنید
- بررسی warnings و suggestions
🚨 Troubleshooting
مشکل 1: Scripts لود نمیشوند
Console Error:
Refused to load the script 'https://example.com/script.js'
because it violates the following Content Security Policy directive: "script-src..."
راهحل:
# Domain را به script-src اضافه کنید
script-src 'self' ... https://example.com;
مشکل 2: Inline Styles کار نمیکنند
Console Error:
Refused to apply inline style because it violates CSP directive: "style-src..."
راهحل:
# اگر unsafe-inline ندارید، اضافه کنید
style-src 'self' 'unsafe-inline';
# یا بهتر: از external stylesheet استفاده کنید
مشکل 3: Google Analytics کار نمیکند
Console Error:
Refused to connect to 'https://www.google-analytics.com'
because it violates CSP directive: "connect-src..."
راهحل:
# Google Analytics را اضافه کنید
script-src 'self' ... https://www.googletagmanager.com https://www.google-analytics.com;
connect-src 'self' ... https://www.google-analytics.com https://region1.google-analytics.com;
مشکل 4: reCAPTCHA نمایش داده نمیشود
راهحل:
script-src 'self' ... https://www.google.com https://www.gstatic.com;
frame-src 'self' ... https://www.google.com;
مشکل 5: Images از CDN لود نمیشوند
راهحل:
# برای همه CDN ها
img-src 'self' data: https: http:;
# یا فقط CDN خاص
img-src 'self' data: https://cdn.example.com;
🔧 سفارشیسازی برای سایت شما
اضافه کردن Domain جدید
مثال: اضافه کردن Tawk.to (Live Chat)
# قبل
script-src 'self' 'unsafe-inline' ...;
# بعد
script-src 'self' 'unsafe-inline' ... https://embed.tawk.to;
connect-src 'self' ... https://va.tawk.to;
اضافه کردن CDN جدید
script-src 'self' ... https://your-cdn.com;
style-src 'self' ... https://your-cdn.com;
font-src 'self' ... https://your-cdn.com;
img-src 'self' ... https://your-cdn.com;
حذف 'unsafe-inline' (پیشرفته)
برای امنیت بیشتر، استفاده از nonces:
script-src 'self' 'nonce-{RANDOM}' https://...;
در PHP:
<?php
$nonce = base64_encode(random_bytes(16));
header("Content-Security-Policy: script-src 'self' 'nonce-$nonce';");
?>
<script nonce="<?php echo $nonce; ?>">
// inline script
</script>
📋 خلاصه برای تیم
برای DevOps:
- ✅ حذف meta tag از header.php
- ✅ اضافه کردن CSP header در nginx/apache
- ✅ شامل:
script-src,object-src 'none',upgrade-insecure-requests - ✅ Restart web server
- ✅ تست با curl و securityheaders.com
برای SEO:
- ✅ بررسی Console در Chrome DevTools
- ✅ تست PageSpeed Insights
- ✅ بررسی Analytics و Tracking codes کار میکنند
- ✅ تست reCAPTCHA در contact forms
- ✅ بررسی error logs
فایلهای مهم:
- Local:
nginx/default.conf(خط 47) - Production Nginx:
/etc/nginx/sites-available/your-domain.conf - Production Apache:
/etc/apache2/sites-available/your-domain.confیا.htaccess - Docs:
docs/CSP_SECURITY.md(این فایل)
📚 منابع بیشتر
Documentation:
Test Tools:
Related Docs:
📝 خلاصه
✅ تغییرات انجام شده:
- ❌ Meta tag CSP حذف شد از header.php
- ✅ CSP header کامل در nginx اضافه شد
- ✅ شامل
script-src(High priority) - ✅ شامل
object-src 'none'(High priority) - ✅ شامل
upgrade-insecure-requests
✅ مزایا:
- 🛡️ محافظت از XSS attacks
- 🚫 جلوگیری از code injection
- ⚡ بهبود امتیاز امنیتی
- ✅ رفع warning در PageSpeed Insights
✅ تست:
curl -I https://your-domain.com | grep -i "content-security-policy"
⚠️ نکات مهم:
- همیشه در محیط staging ابتدا تست کنید
- Console errors را بررسی کنید
- Analytics و tracking codes را تست کنید
- برای production از استراتژی تدریجی استفاده کنید
آخرین بروزرسانی: 23 دسامبر 2025
وضعیت: ✅ فعال و تست شده
PageSpeed Status: ✅ رفع شده
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://www.googletagmanager.com
https://van.najva.com
https://cdn.goftino.com
https://s1.mediaad.org
Why 'unsafe-inline' and 'unsafe-eval'?
- Google Tag Manager requires
'unsafe-eval' - Some analytics tools use inline scripts
- Future improvement: Use nonces for inline scripts
Added Domains:
s1.mediaad.org- Retargeting and analytics script
2. object-src
Blocks plugins like Flash, Java applets:
object-src 'none'
This is critical for security - blocks injection of malicious plugins.
3. style-src
Controls stylesheet sources:
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
Allows Google Fonts and inline styles.
4. img-src
Controls image sources:
img-src 'self' data: https: http:
Allows all images (data URIs, HTTPS, HTTP for compatibility).
5. font-src
Controls font sources:
font-src 'self' data: https://fonts.gstatic.com
Allows Google Fonts and data URIs.
6. connect-src
Controls AJAX, WebSocket, EventSource connections:
connect-src 'self'
https://www.google-analytics.com
https://van.najva.com
https://cdn.goftino.com
https://api.xpay.co
Added Domains:
api.xpay.co- XPay API for chart data and fiat conversions
7. frame-src
Controls iframe sources:
frame-src 'self' https://www.googletagmanager.com
Only allows Google Tag Manager iframes.
8. Other Security Directives
base-uri 'self' # Prevents <base> tag hijacking
form-action 'self' # Forms can only submit to same origin
frame-ancestors 'self' # Prevents clickjacking
upgrade-insecure-requests # Upgrades HTTP to HTTPS
Testing CSP
Browser Console
Open browser DevTools (F12) → Console tab. If CSP blocks something, you’ll see:
Refused to load the script 'https://evil.com/script.js' because it violates
the following Content Security Policy directive: "script-src 'self'..."
Online Tools
PageSpeed Insights
Test at: https://pagespeed.web.dev/ Should show ✅ for “Ensure CSP is effective against XSS attacks”
Common Issues & Solutions
Issue: “Script blocked by CSP”
Solution: Add the domain to script-src:
"script-src 'self' 'unsafe-inline' https://new-domain.com",
Issue: “Stylesheet blocked by CSP”
Solution: Add the domain to style-src:
"style-src 'self' 'unsafe-inline' https://new-domain.com",
Issue: “Font blocked by CSP”
Solution: Add the domain to font-src:
"font-src 'self' data: https://new-domain.com",
Future Improvements
1. Use Nonces for Inline Scripts
Instead of 'unsafe-inline', use nonces:
$nonce = base64_encode(random_bytes(16));
header("Content-Security-Policy: script-src 'self' 'nonce-$nonce'");
Then in HTML:
<script nonce="<?php echo $nonce; ?>">
// Your inline script
</script>
2. Report-Only Mode
Test CSP without blocking:
header("Content-Security-Policy-Report-Only: ...");
3. CSP Reporting
Log violations to server:
"report-uri /csp-violation-report"
File Structure
functions.php # CSP implementation
docs/CSP_SECURITY.md # This documentation
docs/changelog/CHANGELOG-FA.md # Persian changelog
docs/changelog/CHANGELOG-EN.md # English changelog
References
Related Files
functions.php- CSP implementationheader.php- Removed old meta tag CSPdocs/NAJVA_OPTIMIZATION.md- Najva integration docsdocs/SOURCE_MAPS_README.md- Source maps docs
Last Updated: December 2025
Version: 2.1.0