Welcome! Log In Create A New Profile

Advanced

Nesting variables to build header contents - is there a better way?

November 12, 2018 06:34AM
Hello.

I use `add_header` to build Content Security Policy and Feature Policy headers. To help with change control and maintainability I build an Nginx variable from nothing and add each Content Security Policy and Feature Policy data/source type on a different line. The Nginx variable is unique to the `server` block. For example (excerpt from `server` block for subdomain.example.com):

#nested variable for Content Security Policy maintainability
set $contentsecuritypolicy_https_subdomain_example_com '';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}connect-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}default-src \'none\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}font-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}frame-ancestors \'none\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}img-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}manifest-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}media-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}object-src \'none\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}script-src \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}style-src https://cdnjs.cloudflare.com \'self\';';
set $contentsecuritypolicy_https_subdomain_example_com '${contentsecuritypolicy_https_subdomain_example_com}worker-src \'self\';';
add_header Content-Security-Policy $contentsecuritypolicy_https_subdomain_example_com;
#nested variable for Feature Policy maintainability
set $featurepolicy_https_subdomain_example_com '';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}camera \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}fullscreen \'self\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}geolocation \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}gyroscope \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}magnetometer \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}microphone \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}midi \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}notifications \'self\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}payment \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}push \'self\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}speaker \'none\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}sync-xhr \'self\';';
set $featurepolicy_https_subdomain_example_com '${featurepolicy_https_subdomain_example_com}vibrate \'none\''; #no trailing semicolon
add_header Feature-Policy $featurepolicy_https_subdomain_example_com;

This method provides a level of visibility for change control, and is preferable to the everything-on-one-line method for each header type.

I am aware this method also consumes additional memory due to the increased `variables_hash_bucket_size` requirements.

Is there an alternative way I could build two headers with each content/source type on its own line, without nesting and appending variables?

Thank you in advance for any feedback or advice.
Subject Author Posted

Nesting variables to build header contents - is there a better way?

petecooper November 12, 2018 06:34AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 103
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready