Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
APACHE to NGINX | content-security-policy.conf
# REF: https://github.com/h5bp/server-configs-apache/blob/master/src/security/content-security-policy.conf
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset Content-Security-Policy
</FilesMatch>
</IfModule>
# by default add some general content-security-policy
add_header Content-Security-Policy "object-src 'self'; script-src 'self'; report-uri 'https://a64f09869d9d888886f95be0f597d7ec.report-uri.io/r/default/csp/enforce' ";
# now unset Content-Security-Policy for resources matching all below
location ~* \.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$ {
more_clear_headers 'Content-Security-Policy';
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.