Content Security Policy should be configurable per virtual host

Question

Content Security Policy should be configurable per virtual host

basilabbas opened this issue 5 years ago · comments

The top-level file nginx.conf defines lines for the Content-Security-Policy:

  # Add Content-Security-Policy for HTML documents.
  # h5bp/security/content-security-policy.conf
  map $sent_http_content_type $content_security_policy {
    ~*text/html "script-src 'self'; object-src 'self'";
  }

This is not practical since the $content_security_policy is different for each virtualhost domain and should be set at the virtual host file level instead of the top level nginx.conf.

Léo Colombaro · Answer 1 · Thu Mar 14 2019 21:00:31 GMT+0800 (China Standard Time)

Thanks for opening this, @basilabbas!

This is not practical since

Indeed. Actually I'm thinking of removing default activation.

should be set at the virtual host

Maps can't be set in a server{}, only in http{}.
Anyway, that is up to the user to edit the main file to match the wanted config.