19

I am setting a Content-Security-Policy header in my .htaccess file, and it has grown to be an extremely long single line, which is a bother to manage. Is there some way to break up this line into more manageable substrings?

As a trivial example, say I am setting a header like

Header set Content-Security-Policy "deafult-src http://domainA.com; script-src http://domainB.com"

I can (without obvious breaking problems) accomplish my specific case with something like

Header append Content-Security-Policy "default-src http://domainA.com;"
Header append Content-Security-Policy "script-src http://domainB.com"

but that will insert commas into the string, so I was still curious if there was a better answer that could be applied generally, without adding the additional chars to the response.

What would be ideal is if there were some concatenation character that I could use to break the string into smaller parts, like

Header set Content-Security-Policy "default-src http://domainA.com;"
\" script-src http://domainB.com"

or

Header set Content-Security-Policy "default-src http://domainA.com;"^
" script-src http://domainB.com"

or

Header set Content-Security-Policy "default-src http://domainA.com;"
+" script-src http://domainB.com"

Alternatively, if I could set some sort of variable and just dump their contents to do something like

a="default-src http://domainA.com;"
b=" script-src http://domainB.com"
Header set Content-Security-Policy $a$b

that would also be much more managable.

There was a similar topic that came up for nginx and the conclusion was just to live with the long lines (they were dealing with a long regex, so the append solution wouldn't have worked); Is that going to be the case for Apache as well?

2
  • Will Holding shift and pressing enter after each of your substrings do the trick?
    – StixO
    Commented Jan 27, 2016 at 18:32
  • @StixO No, this issue relates to how apache parses strings in conf files. Generally (usually HTML) editors will use such a shortcut to differentiate between line breaks (say, <br />) and paragraph breaks (</p>). This will depend on the markup format being parsed, and the editor. Apache conf files are pure text, and as such have no differentiation between a line an paragraph (regardless of modifier, enter produces a single, system-dependent carriage-return character like \n or \r). Commented Feb 2, 2016 at 17:48

2 Answers 2

21

The following should work:

 Header set Content-Security-Policy "default-src http://domainA.com; \
      script-src http://domainB.com"
6
  • I tested this and got Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration.
    – kasperd
    Commented Jan 27, 2016 at 19:17
  • 1
    @kasperd you need to run a2enmod headers Commented Jan 27, 2016 at 19:50
  • 1
    Wow, actually, evidently you can escape any whitespace character this way. Confirmed working with \<tab> as well. .htaccess will never have looked so good! Commented Jan 27, 2016 at 20:02
  • 1
    Huh, even works to break up regex! @BazzaDP, you might want to go drop this answer on that nginx question I mentioned as well, might work there too. Commented Jan 27, 2016 at 20:05
  • 2
    I applied backslash in a lengthy regular expression pattern in RewriteRule. I worked like a charm but next line auto tab spaces (generated by VS code) must be deleted to get it to work although. Commented Apr 28, 2022 at 4:39
10

Yes - the backslash works as a line-continuation. This is buried within the Apache 2.4 documentation on https://httpd.apache.org/docs/2.4/configuring.html#page-header

Important rules:

  1. Whitespace within a line is fine, ie. any number of tabs and spaces;
  2. The last character on all lines except the final one must be a backslash;<
  3. The final line must not terminate with a backslash;
  4. The Apache comment character (#) cannot be used to comment out a line.
  5. You can not break the [flags]

If these rules are not obeyed, the server will respond with an Error 500.

Note that when editing *.conf files you can use C:\Apache24\bin>httpd -t to check your syntax.

1
  • the problem are the flags, and you can't break the flags
    – Max Muster
    Commented May 3, 2022 at 14:38

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .