Welcome! Log In Create A New Profile

Nesting variables to build header contents - is there a better way?

Forum List Message List New Topic Print View

petecooper

November 12, 2018 06:34AM

Registered: 5 years ago
Posts: 32

Hello.

I use `add_header` to build Content Security Policy and Feature Policy headers. To help with change control and maintainability I build an Nginx variable from nothing and add each Content Security Policy and Feature Policy data/source type on a different line. The Nginx variable is unique to the `server` block. For example (excerpt from `server` block for subdomain.example.com):

#nested variable for Content Security Policy maintainability
set $contentsecuritypolicy_https_subdomain_example_com '';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}connect-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}default-src \'none\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}font-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}frame-ancestors \'none\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}img-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}manifest-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}media-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}object-src \'none\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}script-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}style-src https://cdnjs.cloudflare.com \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}worker-src \'self\';';
add_header Content-Security-Policy $contentsecuritypolicy_https_subdomain_example_com;
#nested variable for Feature Policy maintainability
set $featurepolicy_https_subdomain_example_com '';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}camera \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}fullscreen \'self\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}geolocation \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}gyroscope \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}magnetometer \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}microphone \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}midi \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}notifications \'self\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}payment \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}push \'self\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}speaker \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}sync-xhr \'self\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}vibrate \'none\''; #no trailing semicolon
add_header Feature-Policy $featurepolicy_https_subdomain_example_com;

This method provides a level of visibility for change control, and is preferable to the everything-on-one-line method for each header type.

I am aware this method also consumes additional memory due to the increased `variables_hash_bucket_size` requirements.

Is there an alternative way I could build two headers with each content/source type on its own line, without nesting and appending variables?

Thank you in advance for any feedback or advice.

Reply Quote

RSS

Subject	Author	Posted
Nesting variables to build header contents - is there a better way?	petecooper	November 12, 2018 06:34AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 266

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018