How to Add Content-Security-Policy (CSP) Headers in Zimbra

Posted by

A few days ago, one of our clients requested to enable Content-Security-Policy (CSP) on their email server. So, this is what I do

zmprov mcf +zimbraResponseHeader "Content-Security-Policy: default-src https: 'self' 'unsafe-inline'; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; img-src 'self' data:"

This configuration has been tested on Zimbra 10 and has worked well so far. Below are the conditions before and after implementing CSP


Before apply CSP


After apply CSP

Good luck 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.