Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Nginx CORS and CSP configuration for wildcard origin domains
server {
add_header Content-Security-Policy "default-src 'none'";
add_header X-Content-Security-Policy "default-src 'none'";
add_header X-WebKit-CSP "default-src 'none'";
add_header "Access-Control-Allow-Headers" "X-Requested-With";
if ( $http_origin ~* (https?://(.+\.)?(domain1|domain2|domain3)\.(?:me|co|com)$) ) {
set $cors "$http_origin";
add_header "Access-Control-Allow-Origin" "$cors";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment