Last active
October 14, 2024 07:59
-
-
Save ambroisemaupate/bce4b760405558f358ae to your computer and use it in GitHub Desktop.
Nginx CSP example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # config to don't allow the browser to render the page inside an frame or iframe | |
| # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking | |
| # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri | |
| # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
| add_header X-Frame-Options SAMEORIGIN; | |
| # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, | |
| # to disable content-type sniffing on some browsers. | |
| # https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
| # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
| # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
| # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
| add_header X-Content-Type-Options nosniff; | |
| # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
| # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for | |
| # this particular website if it was disabled by the user. | |
| # https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
| add_header X-XSS-Protection "1; mode=block"; | |
| # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), | |
| # you can tell the browser that it can only download content from the domains you explicitly allow | |
| # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ | |
| # https://www.owasp.org/index.php/Content_Security_Policy | |
| # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' | |
| # directives for css and js(if you have inline css or js, you will need to keep it too). | |
| # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful | |
| add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.youtube.com maps.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com connect.facebook.net; frame-src 'self' *.youtube.com assets.zendesk.com *.facebook.com s-static.ak.facebook.com tautt.zendesk.com; object-src 'self'"; |
Also, it is important to note that all mobile web browsers besides Google Chrome didn't work because of line breaks in the CSP config.
After adding the configuration to a single line solved the problem. 😅
First set src variable then use it:
set $src "bla bla very long bla bla";
add_header Content-Security-Policy $src;
add_header X-Content-Security-Policy $src;
add_header X-WebKit-CSP $src;
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Since you have shared, I will do the same ❤️
These CSP config for nginx is more for securing public sites than internal use.
"We can also add “always” at the end of the nginx config to confirm nginx sends the header regardless of the response code. "
I still ain't super happy about the unsafe-inline and unsafe-eval, but at least you know what links are allowed as unsafe, plus if you are hosting JAMstack sites, the site(s) should be static.
Note: The following snippet of code is the same as @zar3bski code, but the default-src isn't needed according to Mozilla.
This is what I have concluded with for the Nginx Content-Security-Policty; also, nginxconfig.io has some useful tid bits of information for learning and securing ones site: