How to set up CSP in nginx reverse proxy

  • janyx

    (@janyx)


    8 months ago

    Today I installed the latest ver. WordPress.
    I am using apache2 web server behind nginx reverse proxy server.
    I mainly set HTTP to nginx servers. Content-Security-Policy is set in nginx like this

    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

    Everything seems to be working fine, but I get this warning on securityheaders.com

    Content-Security-PolicyThis policy contains ‘unsafe-inline’ which is dangerous in the default-src directive. This policy contains ‘unsafe-eval’ which is dangerous in the default-src directive.

    If I set Content-Security-Policy to

    add_header Content-Security-Policy "default-src 'self';" always;

    I get an A+ on securityheaders.com, but the whole wordpress is destroyed (probably css).

    I know it’s an nginx issue, but no one ever answers on the local nginx forum.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

  • As you have probably noticed, no one has been able to answer you here yet. The topic goes quite far past WordPress itself, so in my opinion it is actually not appropriate here.

    Has anyone reported this in the nginx forum? Otherwise, you can also report it in a community for the system used (Debian, Ubuntu…). If you use cpanel, Plesk or ispconfig, there are probably people there who know the topic.

    Thread Starter janyx

    (@janyx)

    Thank you for your response.
    I set it up like this

        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:;" always;

    See my website. However, I still see many errors and warnings in the console. At least the website is not broken. When I log in to the administration, I cannot add or edit an article, etc. I see 54 errors in the console. Apparently I can’t debug it. I found a temporary solution Sentinel Headers Unlimited Extension. However, my goal is to set HTTP headers in nginx.

    Currently, the plugin is deactivated and the HTTP Header is set in nginx. The results on httpheaders.com are great, but the administration is dysfunctional, especially javascript is not allowed.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘How to set up CSP in nginx reverse proxy’ is closed to new replies.

Tags