Content Security Policy - Nginx

Sathish Kumar satcse88 at
Mon Jun 17 12:03:32 UTC 2019


I tried using inline script by allowing unsafe-inline in Content Security
Policy header but am getting below error.

Refused to execute inline event handler because it violates the following
Content Security Policy directive: "script-src 'self'. Either the
'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is
required to enable inline execution.

I am able to generate sha256/nonce from code but how to validate and set in
response header in Nginx.

On Mon, Jun 10, 2019, 6:39 AM Sathish Kumar <satcse88 at> wrote:

> Hi,
> I would like to enable Content Security Policy header on Nginx for our
> website to protect from data injection attacks and XSS. Can I add like the
> below config?. If anybody hit our URL they will know the allowed domains in
> the header.
> Is there any other bettery way to do this?
> add_header Content-Security-Policy "default-src 'self'; script-src 'self'
> 'unsafe-inline' 'unsafe-eval'
>; img-src 'self'
>; style-src 'self' 'unsafe-inline'
>; font-src 'self'
>; frame-src
>; object-src 'none'";
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list