r-aamir/nginx-csp-security.conf

## nginx-csp-security.conf
# CSP definition for Nginx which leverages $server_name
# Purpose: One CSP-Header for all vhosts

# Installation
# Include this into each server directive in the nginx.conf

# Note
# Check out the script to send a Google Analytics Event and Email upon CSP violation is triggered
# https://github.com/mikeg-de/CSP-Violation-Google-Analytics-Email

# WARNING
# Do NOT format with line breaks. This will cause Firefox top stop loading the webstie
# My article: https://atmedia-marketing.com/technik/website-absichern-server-haerten-mit-content-security-response-header/
# Bug report #1: https://www.fxsitecompat.com/en-CA/docs/2015/line-breaks-in-http2-headers-are-no-longer-allowed/
# Bug report #2 https://bugzilla.mozilla.org/show_bug.cgi?id=1197847

add_header Content-Security-Policy "default-src 'self'; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.$server_name *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com *.gstatic.com *.jquery.com *.videopress.com; style-src 'self' 'unsafe-inline' *.$server_name *.googleapis.com *.google.com *.gstatic.com *.amazonaws.com *.bootstrapcdn.com *.jquery.com; img-src 'self' data: *.$server_name *.google.com *.google-analytics.com *.gstatic.com *.googleapis.com *.amazonaws.com *.gravatar.com *.w.org *.creativecommons.org *.jquery.com; font-src 'self' data: *.$server_name *.gstatic.com *.bootstrapcdn.com; connect-src 'self' *.$server_name *.googletagmanager.com; media-src 'self' *.$server_name *.w.org *.videopress.com; object-src 'self' *.$server_name; child-src 'self' *.googletagmanager.com *.google.com pastebin.com *.videopress.com akismet.com; form-action 'self'; frame-ancestors 'self' *.$server_name *.theluxurypeople.com; upgrade-insecure-requests; report-uri /csp-report-file.php";

# FF until v23, and partial support by IE10
add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.$server_name *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com *.gstatic.com *.jquery.com *.videopress.com; style-src 'self' 'unsafe-inline' *.$server_name *.googleapis.com *.google.com *.gstatic.com *.amazonaws.com *.bootstrapcdn.com *.jquery.com; img-src 'self' data: *.$server_name *.google.com *.google-analytics.com *.gstatic.com *.googleapis.com *.amazonaws.com *.gravatar.com *.w.org *.creativecommons.org *.jquery.com; font-src 'self' data: *.$server_name *.gstatic.com *.bootstrapcdn.com; connect-src 'self' *.$server_name *.googletagmanager.com; media-src 'self' *.$server_name *.w.org *.videopress.com; object-src 'self' *.$server_name; child-src 'self' *.googletagmanager.com *.google.com pastebin.com *.videopress.com akismet.com; form-action 'self'; frame-ancestors 'self' *.$server_name *.theluxurypeople.com; upgrade-insecure-requests; report-uri /csp-report-file.php";
	# CSP definition for Nginx which leverages $server_name
	# Purpose: One CSP-Header for all vhosts

	# Installation
	# Include this into each server directive in the nginx.conf

	# Note
	# Check out the script to send a Google Analytics Event and Email upon CSP violation is triggered
	# https://github.com/mikeg-de/CSP-Violation-Google-Analytics-Email

	# WARNING
	# Do NOT format with line breaks. This will cause Firefox top stop loading the webstie
	# My article: https://atmedia-marketing.com/technik/website-absichern-server-haerten-mit-content-security-response-header/
	# Bug report #1: https://www.fxsitecompat.com/en-CA/docs/2015/line-breaks-in-http2-headers-are-no-longer-allowed/
	# Bug report #2 https://bugzilla.mozilla.org/show_bug.cgi?id=1197847

	add_header Content-Security-Policy "default-src 'self'; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' .$server_name .google-analytics.com .googletagmanager.com .google.com .googleapis.com .gstatic.com .jquery.com .videopress.com; style-src 'self' 'unsafe-inline' .$server_name .googleapis.com .google.com .gstatic.com .amazonaws.com .bootstrapcdn.com .jquery.com; img-src 'self' data: .$server_name .google.com .google-analytics.com .gstatic.com .googleapis.com .amazonaws.com .gravatar.com .w.org .creativecommons.org .jquery.com; font-src 'self' data: .$server_name .gstatic.com .bootstrapcdn.com; connect-src 'self' .$server_name .googletagmanager.com; media-src 'self' .$server_name .w.org .videopress.com; object-src 'self' .$server_name; child-src 'self' .googletagmanager.com .google.com pastebin.com .videopress.com akismet.com; form-action 'self'; frame-ancestors 'self' .$server_name *.theluxurypeople.com; upgrade-insecure-requests; report-uri /csp-report-file.php";

	# FF until v23, and partial support by IE10
	add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' .$server_name .google-analytics.com .googletagmanager.com .google.com .googleapis.com .gstatic.com .jquery.com .videopress.com; style-src 'self' 'unsafe-inline' .$server_name .googleapis.com .google.com .gstatic.com .amazonaws.com .bootstrapcdn.com .jquery.com; img-src 'self' data: .$server_name .google.com .google-analytics.com .gstatic.com .googleapis.com .amazonaws.com .gravatar.com .w.org .creativecommons.org .jquery.com; font-src 'self' data: .$server_name .gstatic.com .bootstrapcdn.com; connect-src 'self' .$server_name .googletagmanager.com; media-src 'self' .$server_name .w.org .videopress.com; object-src 'self' .$server_name; child-src 'self' .googletagmanager.com .google.com pastebin.com .videopress.com akismet.com; form-action 'self'; frame-ancestors 'self' .$server_name *.theluxurypeople.com; upgrade-insecure-requests; report-uri /csp-report-file.php";