Created
October 17, 2017 07:27
-
-
Save mikeg-de/e0eab64217d6c2c51a9dc890a6e107de to your computer and use it in GitHub Desktop.
CSP definition for Nginx which leverages $server_name
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# CSP definition for Nginx which leverages $server_name | |
# Purpose: One CSP-Header for all vhosts | |
# Installation | |
# Include this into each server directive in the nginx.conf | |
# Note | |
# Check out the script to send a Google Analytics Event and Email upon CSP violation is triggered | |
# https://github.com/mikeg-de/CSP-Violation-Google-Analytics-Email | |
# WARNING | |
# Do NOT format with line breaks. This will cause Firefox top stop loading the webstie | |
# My article: https://atmedia-marketing.com/technik/website-absichern-server-haerten-mit-content-security-response-header/ | |
# Bug report #1: https://www.fxsitecompat.com/en-CA/docs/2015/line-breaks-in-http2-headers-are-no-longer-allowed/ | |
# Bug report #2 https://bugzilla.mozilla.org/show_bug.cgi?id=1197847 | |
add_header Content-Security-Policy "default-src 'self'; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.$server_name *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com *.gstatic.com *.jquery.com *.videopress.com; style-src 'self' 'unsafe-inline' *.$server_name *.googleapis.com *.google.com *.gstatic.com *.amazonaws.com *.bootstrapcdn.com *.jquery.com; img-src 'self' data: *.$server_name *.google.com *.google-analytics.com *.gstatic.com *.googleapis.com *.amazonaws.com *.gravatar.com *.w.org *.creativecommons.org *.jquery.com; font-src 'self' data: *.$server_name *.gstatic.com *.bootstrapcdn.com; connect-src 'self' *.$server_name *.googletagmanager.com; media-src 'self' *.$server_name *.w.org *.videopress.com; object-src 'self' *.$server_name; child-src 'self' *.googletagmanager.com *.google.com pastebin.com *.videopress.com akismet.com; form-action 'self'; frame-ancestors 'self' *.$server_name *.theluxurypeople.com; upgrade-insecure-requests; report-uri /csp-report-file.php"; | |
# FF until v23, and partial support by IE10 | |
add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.$server_name *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com *.gstatic.com *.jquery.com *.videopress.com; style-src 'self' 'unsafe-inline' *.$server_name *.googleapis.com *.google.com *.gstatic.com *.amazonaws.com *.bootstrapcdn.com *.jquery.com; img-src 'self' data: *.$server_name *.google.com *.google-analytics.com *.gstatic.com *.googleapis.com *.amazonaws.com *.gravatar.com *.w.org *.creativecommons.org *.jquery.com; font-src 'self' data: *.$server_name *.gstatic.com *.bootstrapcdn.com; connect-src 'self' *.$server_name *.googletagmanager.com; media-src 'self' *.$server_name *.w.org *.videopress.com; object-src 'self' *.$server_name; child-src 'self' *.googletagmanager.com *.google.com pastebin.com *.videopress.com akismet.com; form-action 'self'; frame-ancestors 'self' *.$server_name *.theluxurypeople.com; upgrade-insecure-requests; report-uri /csp-report-file.php"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment