NGINX

Implementing a Strict Content Security Policy (CSP) Header

Learn to configure a robust Content Security Policy (CSP) in Nginx to mitigate XSS attacks and control resource loading for enhanced web security.

add_header Content-Security-Policy "default-src 'self';
    script-src 'self' https://trusted-cdn.com https://another-trusted-cdn.com;
    style-src 'self' 'unsafe-inline' https://trusted-cdn.com;
    img-src 'self' data: https://trusted-cdn.com;
    font-src 'self' https://trusted-cdn.com;
    object-src 'none';
    base-uri 'self';
    form-action 'self';
    frame-ancestors 'self';
    upgrade-insecure-requests;";
How it works: This Nginx configuration adds a `Content-Security-Policy` header to all responses. It restricts various types of content (scripts, styles, images, etc.) to be loaded only from trusted sources, primarily 'self' (the domain itself) and specified CDNs. Directives like `object-src 'none'` and `base-uri 'self'` further harden security by preventing plugin execution and base URL tampering, significantly reducing the risk of Cross-Site Scripting (XSS) attacks. `upgrade-insecure-requests` ensures browsers automatically upgrade HTTP requests to HTTPS.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs