How to set a conditional Content-Security-Policy?

hal469 at hal469 at
Tue Mar 27 17:56:45 UTC 2018

> There are "if" constructs in nginx, see

Well I'll be darned.  I'd thought "if was evil".  Thx.

> On the other hand, if you want to set CSP depending on the client 
> IP address, it might be better idea to use "geo" instead, e.g.:
> geo $csp {
>     default     "default-src 'self'; script-src 'self';";
>  "default-src 'self'; script-src 'self' 'unsafe-inline'";
> }
> add_header Content-Security-Policy $csp;

Works perfectly!  Thx!

More information about the nginx mailing list