Browse Source

Map the content_security_policy header to the request_uri.

merge-requests/151/head
Bauke 1 year ago
committed by Deimos
parent
commit
462dbfb580
  1. 14
      ansible/roles/nginx_site_config/templates/tildes.conf.jinja2

14
ansible/roles/nginx_site_config/templates/tildes.conf.jinja2

@ -11,6 +11,15 @@ map $sent_http_content_type $expires_type_map {
~image/ max;
}
map $request_uri $csp_header {
# The default CSP:
# - "img-src data:" is needed for Spectre.css icons
default "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
# The CSP for the Stripe donation page:
# - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
"~^/donate_stripe$" "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
}
server {
# block bots that don't obey robots.txt
if ($http_user_agent ~* (SemrushBot)) {
@ -39,10 +48,7 @@ server {
{% endif %}
{% if nginx_enable_csp %}
# Content Security Policy:
# - "img-src data:" is needed for Spectre.css icons
# - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always;
add_header Content-Security-Policy $csp_header always;
{% endif %}
add_header X-Content-Type-Options "nosniff" always;

Loading…
Cancel
Save