My objective is to block 3rd party script or content injection, but allow scripts from my site and Adsense.
There are various versions of a CSP. This is the code Google recommends:
Header set Content-Security-Policy "script-src 'self' https://apis.google.com"
When installed, it displays properly in response headers and passes Google's CSP Evaluator, the Moz Observatory and Secarma validators.
I already have numerous other security features installed and am not looking for alternatives. I'm trying to determine how to get this header directive to work as intended. Thanks.