Content Security Policy should be configurable per virtual host

Question

Content Security Policy should be configurable per virtual host

basilabbas opened this issue 6 years ago · 1 comments

The top-level file nginx.conf defines lines for the Content-Security-Policy:

  # Add Content-Security-Policy for HTML documents.
  # h5bp/security/content-security-policy.conf
  map $sent_http_content_type $content_security_policy {
    ~*text/html "script-src 'self'; object-src 'self'";
  }

This is not practical since the $content_security_policy is different for each virtualhost domain and should be set at the virtual host file level instead of the top level nginx.conf.

Answer 1 · 2019-03-14T13:00:31.000Z

Thanks for opening this, @basilabbas!

This is not practical since

Indeed. Actually I'm thinking of removing default activation.

should be set at the virtual host

Maps can't be set in a server{}, only in http{}.
Anyway, that is up to the user to edit the main file to match the wanted config.