Content-Security-Policy header gets lowercased

Francis Daly francis at
Thu Oct 8 07:28:01 UTC 2015

On Wed, Oct 07, 2015 at 12:19:56PM +0200, Joó Ádám wrote:

Hi there,

> I noticed that when adding a `Content-Security-Policy` header to the
> response, the header name gets lowercased. Neither
> `Content-Security-Polic` or `Content-Security-Policyy`, or any other
> header I came across gets lowercased. Is this a bug?

Works for me:

    server {
        add_header Content-Security-Policy "nginx $request_uri";
        listen 8195;

$ curl -sI http://localhost:8195/300.txt | grep nginx
Server: nginx/1.9.5
Content-Security-Policy: nginx /300.txt

How can I reproduce the problem that you see?

Francis Daly        francis at

More information about the nginx mailing list