shinjinhun

## cspheader.php
<?
//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
$headerCSP = "Content-Security-Policy:".
        "connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
        "default-src 'self';". // Default policy for loading html elements
        "frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
        "frame-src 'none';". // vaid sources for frames
        "media-src 'self' *.example.com;". // vaid sources for media (audio and video html tags src)
        "object-src 'none'; ". // valid object embed and applet tags src
        "report-uri https://example.com/violationReportForCSP.php;". //A URL that will get raw json data in post that lets you know what was violated and blocked
	<?
	//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
	$headerCSP = "Content-Security-Policy:".
	"connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
	"default-src 'self';". // Default policy for loading html elements
	"frame-ancestors 'self' ;". //allow parent framing - this one blocks click jacking and ui redress
	"frame-src 'none';". // vaid sources for frames
	"media-src 'self' *.example.com;". // vaid sources for media (audio and video html tags src)
	"object-src 'none'; ". // valid object embed and applet tags src
	"report-uri https://example.com/violationReportForCSP.php;". //A URL that will get raw json data in post that lets you know what was violated and blocked