blog.

Fullstack Developer | devOps Enthusiast

Server Configuration

CSP: Content Security Policy Template for Nginx

By xna #nginx

Content Security Policy (CSP) is a security feature provided by web browsers to help prevent a wide range of attacks, such as Cross-Site Scripting (XSS) and data injection attacks. CSP provides a layer of security by allowing web developers to define the sources from which a website can load resources like scripts, styles, images, fonts, and more.

Change my-website.com below with yours!

1. Content-Security-Policy (CSP) to restrict sources of content that the browser can load.

  • ‘self’: Restricts all content to load only from the current domain.
  • script-src: Allows scripts from the domain itself, ‘unsafe-inline’ (for inline scripts), and from `unpkg.com`.
  • style-src: Allows styles from the domain itself, ‘unsafe-inline’ (for inline styles), Google, and `*.my-website.com`.
  • img-src: Restricts image sources to the domain itself and specific external sources.
  • font-src: Restricts fonts to load only from the domain itself.
  • connect-src: Restricts API connections to only the domain itself and `*.my-website.com`.
  • frame-src: Restricts frames to load only from the domain itself and certain external domains.
  • object-src: Prevents loading content from objects (like plugins) by disabling object-src.
add_header Content-Security-Policy "
    default-src 'self'; 
    script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: *.google.com *.my-website.com;
    style-src 'self' 'unsafe-inline' https: *.google.com *.my-website.com; 
    img-src 'self' data: https: *.google.com *.my-website.com;
    font-src 'self' data: https: *.gstatic.com;
    connect-src 'self' https: *.my-website.com;
    child-src 'self' blob:;
    worker-src 'self' blob:;
    frame-src 'self' https: *.google.com; 
    object-src 'none'" always;

example 2

add_header Content-Security-Policy "
   default-src * 'self' data: blob: https:; 
   font-src * data: https: 'self'; 
   script-src data: * https: 'self' 'unsafe-inline' 'unsafe-eval' blob:; 
   style-src 'self' https: data: * 'unsafe-inline' blob:; 
   frame-ancestors 'self' data: https: *; 
   connect-src 'self' https: data: wss: blob:; 
   img-src 'self' * data: https: blob:; 
   frame-src 'self' https: data: blob: *" always;

2. Strict-Transport-Security (HSTS) to enforce the use of HTTPS.

  • max-age=31536000: Sets the policy for 1 year (31536000 seconds).
  • includeSubDomains: Ensures the policy applies to all subdomains.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

3. Referrer-Policy to control the referrer information that is shared.

strict-origin-when-cross-origin: Sends the full source URL only for navigation from the same domain, and only sends the origin for external domains, enhancing privacy.

add_header Referrer-Policy "strict-origin-when-cross-origin" always;

4. Permissions-Policy to restrict access to hardware features.

Each feature (accelerometer, camera, geolocation, etc.) is restricted to prevent access.

add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always;

5. X-Frame-Options to prevent framing content by other sites.

DENY: Denies all sites from framing this page, preventing click-jacking attacks.

add_header X-Frame-Options "DENY" always;

6. X-Content-Type-Options to prevent MIME-sniffing.

nosniff: Ensures the browser only processes content types as declared, preventing MIME-sniffing exploits.

add_header X-Content-Type-Options "nosniff" always;

7. Allowing CORS access from valid subdomains

Adding Access-Control-Allow-Origin to allow cross-origin access (CORS). “*”: Allows access from all origins, although this may need adjustment based on security needs.

add_header "Access-Control-Allow-Origin" "*";

8. Specifying HTTP methods allowed for CORS requests.

Allows GET, POST, OPTIONS, HEAD, and DELETE from external origins.

add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD, DELETE, PUT" always;

9. Specifying headers allowed for CORS requests.

Allows various common headers to support API requests from clients.

add_header "Access-Control-Allow-Headers" "DNT, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Range, Authorization, Accept" always;

Handling preflight requests

if ($request_method = OPTIONS) {
    add_header "Access-Control-Allow-Origin" "*";
    add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD, DELETE, PUT" always;
    add_header "Access-Control-Allow-Headers" "DNT, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Range, Authorization" always;
    add_header "Access-Control-Max-Age" "300" always;
    return 204;  # No Content
}

Combine it all in one single file

put this script in your nginx config example in block http, server, or location depends on your need

# Content-Security-Policy (CSP) to restrict sources of content that the browser can load.
add_header Content-Security-Policy "
    default-src 'self'; 
    script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: *.google.com *.my-website.com;
    style-src 'self' 'unsafe-inline' https: *.google.com *.my-website.com; 
    img-src 'self' data: https: *.google.com *.my-website.com;
    font-src 'self' data: https: *.gstatic.com;
    connect-src 'self' https: *.my-website.com;
    child-src 'self' blob:;
    worker-src 'self' blob:;
    frame-src 'self' https: *.google.com; 
    object-src 'none'" always;

# Strict-Transport-Security (HSTS) to enforce the use of HTTPS.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# Referrer-Policy to control the referrer information that is shared.
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Permissions-Policy to restrict access to hardware features.
add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always;

# X-Frame-Options to prevent framing content by other sites.
add_header X-Frame-Options "DENY" always;

# X-Content-Type-Options to prevent MIME-sniffing.
add_header X-Content-Type-Options "nosniff" always;

# Allowing CORS access from valid subdomains
add_header "Access-Control-Allow-Origin" "*";

# Specifying HTTP methods allowed for CORS requests.
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD, DELETE, PUT" always;

# Specifying headers allowed for CORS requests.
add_header "Access-Control-Allow-Headers" "DNT, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Range, Authorization, Accept" always;

# Handling preflight requests
if ($request_method = OPTIONS) {
    add_header "Access-Control-Allow-Origin" "*";
    add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD, DELETE, PUT" always;
    add_header "Access-Control-Allow-Headers" "DNT, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Range, Authorization" always;
    add_header "Access-Control-Max-Age" "300" always;
    return 204;  # No Content
}

Loading

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *

My technical documentation that I have tested and implemented in real projects. So, keep diving and find something may useful for your journey

xna x Themeansar