NGINX
Configure a Strict Content Security Policy (CSP) in Nginx
Enhance web security by configuring a robust Content Security Policy (CSP) in Nginx, preventing XSS and injection attacks by controlling resource loading.
# Nginx Configuration (typically in a server block or location block)
# Example: Strict CSP for a typical web application
add_header Content-Security-Policy \
"default-src 'self';" \
"script-src 'self' https://trusted.cdn.com 'unsafe-inline' 'unsafe-eval';" \
"style-src 'self' https://trusted.cdn.com 'unsafe-inline';" \
"img-src 'self' data: https://cdn.example.com;" \
"font-src 'self' https://fonts.gstatic.com;" \
"connect-src 'self' ws://localhost:3000;" \
"frame-src 'self' https://trusted.embed.com;" \
"object-src 'none';" \
"base-uri 'self';" \
"form-action 'self';" \
"frame-ancestors 'self';" \
"block-all-mixed-content;" \
"upgrade-insecure-requests;" \
"report-uri /csp-report-endpoint;";
# Explanation of directives:
# default-src 'self': Only allow resources from the same origin by default.
# script-src: Specifies valid sources for JavaScript.
# 'unsafe-inline' (scripts/styles): Allows inline <script> or <style> blocks. Use with caution.
# 'unsafe-eval' (scripts): Allows use of eval() and similar methods. Use with caution.
# img-src: Specifies valid sources for images.
# data:: Allows data URIs for images (e.g., base64 encoded images).
# connect-src: Applies to XMLHttpRequest (AJAX), WebSockets, and EventSource.
# object-src 'none': Disables <object>, <embed>, and <applet> tags completely.
# base-uri 'self': Restricts the URLs that can be used in a document's <base> element.
# form-action 'self': Restricts the URLs which can be used as the target of form submissions.
# frame-ancestors 'self': Prevents clickjacking by controlling which sites can embed the page.
# block-all-mixed-content: Blocks loading HTTP assets on HTTPS pages.
# upgrade-insecure-requests: Tells user agents to rewrite HTTP URLs to HTTPS.
# report-uri /csp-report-endpoint: Specifies a URL to which the browser sends reports when a CSP violation occurs.
# Remember to remove 'unsafe-inline' and 'unsafe-eval' once your application is refactored to avoid them.
# Adjust all 'self' and specific domains based on your application's actual resource loading.
How it works: This Nginx configuration snippet demonstrates how to implement a robust Content Security Policy (CSP) using the 'add_header' directive. CSP is a powerful security mechanism that helps prevent various attacks, including Cross-Site Scripting (XSS), by explicitly whitelisting trusted sources for different types of content (scripts, styles, images, etc.). This granular control significantly reduces the attack surface of your web application. Always tailor directives like 'script-src' to your specific needs, removing 'unsafe-inline' and 'unsafe-eval' where possible.