Windows PHP emits a warning when a multi‑line CSP header is sent.
Linux accepts multi‑line headers, but Windows requires one continuous line.
The current CSP header:
header("Content-Security-Policy:
default-src 'self';
script-src 'self' https://{$serverFQDN};
style-src 'self' 'unsafe-inline' https://{$serverFQDN};
img-src 'self' https://{$serverFQDN};"
);
This produces a warning on Windows because HTTP headers cannot contain literal newlines.
Convert the CSP header into a single line:
header("Content-Security-Policy: default-src 'self'; script-src 'self' https://{$serverFQDN}; style-src 'self' 'unsafe-inline' https://{$serverFQDN}; img-src 'self' https://{$serverFQDN};");
This resolves the Windows warning and behaves identically on Linux.
Recomended:
// Security & privacy headers
$nonce = bin2hex(random_bytes(12));
$policies = [
"default-src 'self'",
"style-src 'self' 'nonce-$nonce'",
"script-src 'self' 'nonce-$nonce' sipylus.com www.sipylus.com static.statcounter.com secure.statcounter.com www.statcounter.com c.statcounter.com",
"img-src 'self' data: sipylus.com www.sipylus.com c.statcounter.com secure.statcounter.com www.statcounter.com sipylus.montastic.io",
"font-src 'self'",
"connect-src 'self'",
"frame-ancestors 'none'",
"base-uri 'none'",
"form-action 'self'",
"object-src 'none'",
"require-trusted-types-for 'script'",
"upgrade-insecure-requests"
];
Windows PHP emits a warning when a multi‑line CSP header is sent.
Linux accepts multi‑line headers, but Windows requires one continuous line.
The current CSP header:
This produces a warning on Windows because HTTP headers cannot contain literal newlines.
Convert the CSP header into a single line:
This resolves the Windows warning and behaves identically on Linux.
Recomended: