Content Security Policy Headers are not appearing
Maxim Dounin
mdounin at mdounin.ru
Wed Nov 30 03:55:49 UTC 2022
Hello!
On Tue, Nov 29, 2022 at 10:35:22PM -0500, blason wrote:
> Well this is particularly I noticed for https vhost config. The CSP headers
> are properly being displayed for http but not https.
>
> Here is my config
>
> more /etc/nginx/conf.d/sec-headers.conf
>
> add_header Content-Security-Policy "default-src 'self'; font-src *;img-src *
> data:; script-src *; style-src *;" always;
>
>
>
> server {
> include /etc/nginx/apploxconf.d/applox-bots-declare.conf;
> include /etc/nginx/conf.d/sec-headers.conf;
> listen 80;
> .
> ..
> .
>
> And here is https
>
> server {
> include /etc/nginx/apploxconf.d/applox-bots-declare.conf;
> include /etc/nginx/conf.d/sec-headers.conf;
> listen 443 ssl http2;
>
>
> However https properly gets reflected but not with https.
Note this sentenced in the documentation
(https://nginx.org/r/add_header):
: These directives are inherited from the previous configuration
: level if and only if there are no add_header directives defined on
: the current level.
Your "add_header" directive is defined on the server level. If
there is a location where you use the "add_header" directive for
something else (such as "Strict-Transport-Security" and other
headers as seen in the https response you've provided), this will
prevent headers from the server level from being added.
To fix this, consider repeating the "add_header" directive again
in the affected locations. Alternatively, define all the
"add_header" directives at the server level and remove them from
locations, so the directives defined at the server level will be
used in all locations.
Hope this helps.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list