← Back to all snippets
NGINX

Implement a Robust Content Security Policy (CSP) Header

Protect your web application from Cross-Site Scripting (XSS) and data injection attacks by configuring a strict Content Security Policy (CSP) header.

# In your Nginx server block or http block
add_header Content-Security-Policy "default-src 'self';
  script-src 'self' https://trusted.cdn.com;
  style-src 'self' 'unsafe-inline' https://trusted.cdn.com;
  img-src 'self' data: https://trusted.images.com;
  font-src 'self' https://trusted.cdn.com;
  connect-src 'self' ws://your.api.com wss://your.api.com;
  frame-ancestors 'none';
  form-action 'self';
  object-src 'none';
  base-uri 'self';
  report-uri /csp-report-endpoint;";
How it works: This Nginx configuration sets a Content Security Policy (CSP) header, which helps mitigate a wide range of attacks like Cross-Site Scripting (XSS). The `default-src 'self'` directive allows resources only from the same origin. Specific directives like `script-src` and `style-src` define trusted sources for scripts and stylesheets, preventing untrusted code execution. `frame-ancestors 'none'` prevents your site from being embedded in iframes, combating clickjacking. `report-uri` can be used to send violation reports, helping to fine-tune the policy.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs