Would like to know your thoughts if there are conflicts with two CSP applied in headers?
We discovered that there are missing HTTP headers in our corporate website. Due to this we enhanced our security configuration last night thru WAF and I found out that the existing CSP (I think this was previously applied thru code) was not removed from headers instead it applied a new CSP header (Implementation thru Silverline WAF).
Existing code and I recently discovered that this is not the best practice?
default-src 'self' https://xx.20.1xx.71 https://www.cxxk.com 'unsafe-inline' https://www.google.com https://google-analytics.com https://www.googletagmanager.com https://www.googleanalytics.com https://ssl.google-analytics.com https://www.google-analytics.com https://www.googleoptimize.com https://*.googleapis.com https://www.gstatic.com https://maxcdn.bootstrapcdn.com https://use.fontawesome.com https://code.jquery.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://fonts.gstatic.com; frame-src 'self' https://1xx.21.1xx.191 https://*.youtube.com https://www.google.com; child-src https://*.youtube.com;
New CSP applied yesterday thru Silverline WAF
upgrade-insecure-requests
Is this okay that we are seeing two CSP in headers? Hoping your meaningful insights!