I'm new to Content-Security-Policy and first time trying to implement CSP to my Web App, but I've no clue on where to put / declare the report-uri, as it can not be declared using meta http-equiv.
I've tried putting this code in the very top line of my .htaccess file but it seems it doesn't run the URI.
Header set Content-Security-Policy "report-uri http://localhost/my-webapp-name/report-parser.php"
but if I POST something manually to 'report-parser.php', the script works just fine.
Update:
It Seems I have found the problem but still not found the solution. The problem to my understanding is the policy that I set on .htaccess is overwritten with the policy that I declare inside html <head></head> using meta http-equiv.
So the questions become, Where to declare the policy report-uri so that it does not overwritten by the other policy inside the html head?
The working solution so far, base on this link https://gist.github.com/phpdave/24d879514e7411047267 shared by Dipak cahvda, is to put all policy in php header() function.