Nesting variables to build header contents - is there a better way?
petecooper
nginx-forum at forum.nginx.org
Mon Nov 12 11:34:08 UTC 2018
Hello.
I use `add_header` to build Content Security Policy and Feature Policy
headers. To help with change control and maintainability I build an Nginx
variable from nothing and add each Content Security Policy and Feature
Policy data/source type on a different line. The Nginx variable is unique to
the `server` block. For example (excerpt from `server` block for
subdomain.example.com):
#nested variable for Content Security Policy maintainability
set $contentsecuritypolicy_https_subdomain_example_com '';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}connect-src
\'self\';';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}default-src
\'none\';';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}font-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}frame-ancestors
\'none\';';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}img-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}manifest-src
\'self\';';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}media-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}object-src \'none\';';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}script-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}style-src
https://cdnjs.cloudflare.com \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com
'${contentsecuritypolicy_https_subdomain_example_com}worker-src \'self\';';
add_header Content-Security-Policy
$contentsecuritypolicy_https_subdomain_example_com;
#nested variable for Feature Policy maintainability
set $featurepolicy_https_subdomain_example_com '';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}camera \'none\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}fullscreen \'self\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}geolocation \'none\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}gyroscope \'none\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}magnetometer \'none\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}microphone \'none\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}midi \'none\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}notifications \'self\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}payment \'none\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}push \'self\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}speaker \'none\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}sync-xhr \'self\';';
set $featurepolicy_https_subdomain_example_com
'${featurepolicy_https_subdomain_example_com}vibrate \'none\''; #no trailing
semicolon
add_header Feature-Policy $featurepolicy_https_subdomain_example_com;
This method provides a level of visibility for change control, and is
preferable to the everything-on-one-line method for each header type.
I am aware this method also consumes additional memory due to the increased
`variables_hash_bucket_size` requirements.
Is there an alternative way I could build two headers with each
content/source type on its own line, without nesting and appending
variables?
Thank you in advance for any feedback or advice.
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281912,281912#msg-281912
More information about the nginx
mailing list