Content-Security-Polic (CSP) for nginx (webapp)

AnotherAndy

Hi everyone,

I just switched from apache to nginx and used this
https://kb.kopano.io/display/WIKI/Nginx
manual to configure my nginx for the kopano webapp.

So far everything works fine, but if the nginx config is checked by https://observatory.mozilla.org
I only get a B, reason:
Content Security Policy -25 Content Security Policy (CSP) header not implemented

I am not aware with CSP on nginx ( my apache had a A rating)…but it read a little bit and found
add_header Content-Security-Policy-Report-only "default-src ‘self’;
so my browser reports
[Report Only] Refused to execute inline script because it violates the following Content Security Policy

any advices about a working CSP ?
thx & br
Andreas

AnotherAndy

Hi!
well there was a little time and i found this blog:

https://www.uriports.com/blog/creating-a-content-security-policy-csp/
so I started creating my own CSP.

add this to your NGINX config:

add_header Content-Security-Policy-Report-Only “default-src ‘self’; font-src ‘self’; img-src ‘self’; script-src ‘self’ ; style-src ‘self’”;
and start the development tools of your browser.
in my Case i got 3 messages like this here:

so I modified my policy with these 3 sha256 hashes:

Of course first with the add_header Content-Security-Policy-Report-Only and after there were no reports I activated my policy.
Now the https://observatory.mozilla.org reports an A+

BUT I did not perform a login…so switch back to report only and perform a login - there you will get a few more hashes ;)

br
Andreas