How to set a conditional Content-Security-Policy?

hal469 at xsmail.com hal469 at xsmail.com
Tue Mar 27 17:56:45 UTC 2018


> There are "if" constructs in nginx, see http://nginx.org/r/if.

Well I'll be darned.  I'd thought "if was evil".  Thx.

> On the other hand, if you want to set CSP depending on the client 
> IP address, it might be better idea to use "geo" instead, e.g.:
> 
> geo $csp {
>     default     "default-src 'self'; script-src 'self';";
>     10.0.0.0/8  "default-src 'self'; script-src 'self' 'unsafe-inline'";
> }
> 
> add_header Content-Security-Policy $csp;

Works perfectly!  Thx!


More information about the nginx mailing list