Skip to content

Instantly share code, notes, and snippets.

@adrianorsouza
Last active September 18, 2023 08:09
  • Star 4 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save adrianorsouza/b694bb70293a5dcd45b6 to your computer and use it in GitHub Desktop.
Nginx CORS and CSP configuration for wildcard origin domains
server {
...
add_header Content-Security-Policy "default-src 'none'";
add_header X-Content-Security-Policy "default-src 'none'";
add_header X-WebKit-CSP "default-src 'none'";
add_header "Access-Control-Allow-Headers" "X-Requested-With";
if ( $http_origin ~* (https?://(.+\.)?(domain1|domain2|domain3)\.(?:me|co|com)$) ) {
set $cors "$http_origin";
}
add_header "Access-Control-Allow-Origin" "$cors";
...
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment