Content Security Policy - Nginx

Sathish Kumar satcse88 at
Sun Jun 9 22:39:20 UTC 2019


I would like to enable Content Security Policy header on Nginx for our
website to protect from data injection attacks and XSS. Can I add like the
below config?. If anybody hit our URL they will know the allowed domains in
the header.

Is there any other bettery way to do this?

add_header Content-Security-Policy "default-src 'self'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src; object-src 'none'";
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list