For my nginx server, I set a CSP header

set $CSP '';
set $CSP "${CSP}default-src 'self';";
set $CSP "${CSP}script-src 'self';";
add_header Content-Security-Policy $CSP;

For a webapp, using Symfony, the developer UI injects inline script for display of a "Debug Toolbar"

It's access-blocked by that^ server policy.

Changing

- set $CSP "${CSP}script-src 'self';";
+ set $CSP "${CSP}script-src 'self' 'unsafe-inline';";

fixes the problem -- access the debug toolbar is allowed, and it's rendered.

But, adding the 'unsafe-inline' is certainly not ideal!

Apache has the option to create/return a CSP policy depending on Request IP:

https://blog.paranoidpenguin.net/2017/12/deploy-different-content-security-policies-csps-using-the-apache-if-directive/

How would the equivalent be done in nginx config?

Iiuc, there's no if/then/else construct.

Something with maps maybe?

Hal
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx