Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx CSP example
# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";
# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.youtube.com maps.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com connect.facebook.net; frame-src 'self' *.youtube.com assets.zendesk.com *.facebook.com s-static.ak.facebook.com tautt.zendesk.com; object-src 'self'";
@ambroisemaupate

This comment has been minimized.

Copy link
Owner Author

@ambroisemaupate ambroisemaupate commented Mar 4, 2015

Do not forget object-src 'self' as PDF won’t be showed in Chrome!

@pasystem

This comment has been minimized.

Copy link

@pasystem pasystem commented Feb 5, 2018

@zar3bski

This comment has been minimized.

Copy link

@zar3bski zar3bski commented Jul 1, 2019

Thx!
Personal opinion: since this conf is supposed to increase security, I wouldn't add "script-src 'unsafe-inline' 'unsafe-eval' in it, the reason being that, by doing so, CSP no longer protect the client against stored XSS :/

@gadoi

This comment has been minimized.

Copy link

@gadoi gadoi commented Apr 19, 2021

thanks

@jlhollowell

This comment has been minimized.

Copy link

@jlhollowell jlhollowell commented Jul 21, 2021

Thanks for this resource. Regarding the use of 'unsafe-inline', unfortunately some php web apps don't work properly without it. :-( Limesurvey, Moodle to name the two that I have had to use it on.

@ptumula89

This comment has been minimized.

Copy link

@ptumula89 ptumula89 commented Sep 9, 2021

How to write multiple CSP rules in http block?

@zar3bski

This comment has been minimized.

Copy link

@zar3bski zar3bski commented Sep 9, 2021

How to write multiple CSP rules in http block?

You can can specify multiple CSP rules after globally disable permissive default-src with ;. For instance:

    add_header Content-Security-Policy "default-src 'none'; 
                                        script-src 'self';
                                        style-src 'self' ; 
                                        connect-src 'self'; 
                                        font-src 'self' https://fonts.googleapis.com; 
                                        object-src 'self'; 
                                        media-src 'self'; 
                                        frame-src 'self' https://www.google.com https://www.youtube.com https://www.facebook.com;";

Line breaks are tolerated by nginx conf parser, as long as it starts and ends with ". Machines don't mind but humans usually prefer readable configuration files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment