Content Security Policy Headers are not appearing
blason
nginx-forum at forum.nginx.org
Wed Nov 30 03:35:22 UTC 2022
Well this is particularly I noticed for https vhost config. The CSP headers
are properly being displayed for http but not https.
Here is my config
more /etc/nginx/conf.d/sec-headers.conf
add_header Content-Security-Policy "default-src 'self'; font-src *;img-src *
data:; script-src *; style-src *;" always;
server {
include /etc/nginx/apploxconf.d/applox-bots-declare.conf;
include /etc/nginx/conf.d/sec-headers.conf;
listen 80;
.
..
.
And here is https
server {
include /etc/nginx/apploxconf.d/applox-bots-declare.conf;
include /etc/nginx/conf.d/sec-headers.conf;
listen 443 ssl http2;
However https properly gets reflected but not with https.
curl -I http://www.xxxx.xxx
HTTP/1.1 301 Moved Permanently
Date: Wed, 30 Nov 2022 03:20:23 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.xxxx.xxxx
Server: applox-waf
Content-Security-Policy: default-src 'self'; font-src *;img-src * data:;
script-src *; style-src *;
HTTP/1.1 200 OK
Date: Wed, 30 Nov 2022 03:33:47 GMT
Content-Type: text/html
Content-Length: 37579
Connection: keep-alive
Cache-Control: private
Set-Cookie: ASPSESSIONIDSGSTSTQQ=KOMPLPOCKOFKKCOELBNALAKE; secure; path=/
Server: applox-waf
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
X-Frame-Options: SAMEORIGIN
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295928,295929#msg-295929
More information about the nginx
mailing list