Skip to content

Instantly share code, notes, and snippets.

Last active April 5, 2024 14:38
Show Gist options
  • Save ambroisemaupate/bce4b760405558f358ae to your computer and use it in GitHub Desktop.
Save ambroisemaupate/bce4b760405558f358ae to your computer and use it in GitHub Desktop.
Nginx CSP example
# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
add_header X-Frame-Options SAMEORIGIN;
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# currently suppoorted in IE > 8
# 'soon' on Firefox
add_header X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
add_header X-XSS-Protection "1; mode=block";
# with Content Security Policy (CSP) enabled(and a browser that supports it(,
# you can tell the browser that it can only download content from the domains you explicitly allow
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more:
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' * * *; frame-src 'self' * *; object-src 'self'";
Copy link

oDinZu commented Dec 4, 2022

Also, it is important to note that all mobile web browsers besides Google Chrome didn't work because of line breaks in the CSP config.

After adding the configuration to a single line solved the problem. 😅

Copy link

hkn06tr commented Apr 5, 2024

First set src variable then use it:

set $src "bla bla very long bla bla";
add_header Content-Security-Policy $src;
add_header X-Content-Security-Policy $src;
add_header X-WebKit-CSP $src;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment