0

I current have an nginx server that is sending the Content-Security-Policy header, however I've read that apparently IE only supports "X-Content-Security-Policy".

Would it be a good idea to send both Content-Security-Policy and X-Content-Security-Policy headers with requests or will this create conflicts? Would it instead be a good idea to use a conditional statement to send the correct header for the correct browser-based on the user agent?

Concrete Donkey
  • 435
  • 5
  • 8

1 Answers1

1

Because user agents (browsers) ignore headers they do not understand, as long as the effect of the headers are the same you will not experience problems by providing both. Do whichever you find more expedient. Best practice would be to behave conditionally based on the user agent identification, but I can't think of any reason why this would actually be necessary.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92