=== Enabling Content Security Policy (CSP) on the web server ===

To protect Zabbix frontend against Cross Site Scripting (XSS), data injection, and some other attacks of a similar type, we recommend enabling Content Security Policy on the web server. To do so, you need to configure the web server to return the [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy|Content-Security-Policy]] HTTP header.

To enable CSP for your Zabbix frontend in Apache configuration, edit:

  /etc/httpd/conf/httpd.conf

For example, if it is planned that all content will come from the site's origin (excluding subdomains), you can add the following directive to your virtual host's configuration:

<code>
<VirtualHost *:*>
 Header set Content-Security-Policy "default-src 'self';"
</VirtualHost>
</code>

Restart the Apache service to apply the changes:

  systemctl restart httpd.service