Skip to content

Instantly share code, notes, and snippets.

@anon987654321

anon987654321/csp.md

Last active June 21, 2020 13:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anon987654321/51ac6641e58859f86b346d7525b5743a to your computer and use it in GitHub Desktop.
Save anon987654321/51ac6641e58859f86b346d7525b5743a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
csp.md

Custom CSPs for different hosts

http protocol "https_reverse_proxy" {
  [...]

  # CSPs to help reduce the risk of Cross-Site Scripting
  # https://content-security-policy.com/

  # Hosts that require custom CSPs
  match request header "Host" value "myapp1.com" tag "myapp1"
  match request header "Host" value "myapp2.com" tag "myapp2"
  match request header "Host" value "myapp3.com" tag "myapp3"

  # Myapp1
  # Feature request: match header set "Content-Security-Policy" value "default-src 'self'; ..." tagged "myapp1"
  pass response quick tagged "myapp1" header set "Content-Security-Policy" value "default-src 'self'; ..."

  # Myapp2
  # Feature request: match header set "Content-Security-Policy" value "default-src 'self'; ..." tagged "myapp2"
  pass response quick tagged "myapp2" header set "Content-Security-Policy" value "default-src 'self'; ..."
  # What is going on here???
  pass quick tagged "myapp2" forward to <myapp2>

  # Myapp3
  # Feature request: match header set "Content-Security-Policy" value "default-src 'self'; ..." tagged "myapp3"
  pass response quick tagged "myapp3" header set "Content-Security-Policy" value "default-src 'self'; ..."
  pass quick tagged "myapp3" forward to <myapp3>

  # Everyone else
  match response header set "Content-Security-Policy" value "default-src 'self';"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment