Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
APACHE to NGINX | content-security-policy.conf
# REF: https://github.com/h5bp/server-configs-apache/blob/master/src/security/content-security-policy.conf
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset Content-Security-Policy
</FilesMatch>
</IfModule>
# by default add some general content-security-policy
add_header Content-Security-Policy "object-src 'self'; script-src 'self'; report-uri 'https://a64f09869d9d888886f95be0f597d7ec.report-uri.io/r/default/csp/enforce' ";
# now unset Content-Security-Policy for resources matching all below
location ~* \.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$ {
more_clear_headers 'Content-Security-Policy';
}
@harikt

This comment has been minimized.

Copy link

@harikt harikt commented Apr 18, 2017

@7php

This comment has been minimized.

Copy link
Owner Author

@7php 7php commented Apr 18, 2017

thanks @harikt, the 2nd link I think is putting me on the track..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.