How to set a conditional Content-Security-Policy?

hal469 at hal469 at
Tue Mar 27 16:50:14 UTC 2018

For my nginx server, I set a CSP header

 set $CSP '';
 set $CSP "${CSP}default-src 'self';";
 set $CSP "${CSP}script-src  'self';";
 add_header Content-Security-Policy $CSP;

For a webapp, using Symfony, the developer UI injects inline script for display of a "Debug Toolbar"

It's access-blocked by that^ server policy.


-	set $CSP "${CSP}script-src  'self';";
+	set $CSP "${CSP}script-src  'self' 'unsafe-inline';";

fixes the problem -- access the debug toolbar is allowed, and it's rendered.
But, adding the 'unsafe-inline' is certainly not ideal!

Apache has the option to create/return a CSP policy depending on Request IP:

How would the equivalent be done in nginx config?

Iiuc, there's no if/then/else construct.

Something with maps maybe?


More information about the nginx mailing list