'add_header' no longer allowed inside 'if', even though document says it is?

Valentin V. Bartenev vbart at nginx.com
Wed Feb 18 17:12:25 UTC 2015


On Wednesday 18 February 2015 17:57:13 Daniël Mostertman wrote:
[..]
> What am I doing wrong, if anything? And if I can avoid using "if" like 
> that, I'd obviously prefer that.
> 

You can avoid it by using the map directive and a variable
as the add_header value.

Like this:

  map $http_user_agent $csp {
      ~MSIE   "";
      default "
        default-src  'self' https://*.example.nl https://*.example.net;
        connect-src  'self' https://*.example.nl https://*.example.net;
        font-src     'self' data: https://*.example.nl https://*.example.net;
        script-src   'self' 'unsafe-inline' 'unsafe-eval' https://*.example.nl https://*.example.net;
        style-src    'self' 'unsafe-inline';
        img-src      'self' data: https://*.example.nl https://*.example.net;
        frame-src    'self';
        object-src   'self' 'unsafe-inline';
     ";
  }

  add_header Content-Security-Policy $csp;

--

  wbr, Valentin V. Bartenev



More information about the nginx mailing list