Hi All,
I am trying to set a CSP headers in my nginx reverse proxy and those are not
appearing even after multiple attempts. Any idea what is wrong or why the
header is not getting added?
TIA
Blason R
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295928,295928#msg-295928
Well this is particularly I noticed for https vhost config. The CSP headers
are properly being displayed for http but not https.
Here is my config
more /etc/nginx/conf.d/sec-headers.conf
add_header Content-Security-Policy "default-src 'self'; font-src *;img-src *
data:; script-src *; style-src *;" always;
server {
include /etc/nginx/apploxconf.d/applox-bots-declare.conf;
include /etc/nginx/conf.d/sec-headers.conf;
listen 80;
.
..
.
And here is https
server {
include /etc/nginx/apploxconf.d/applox-bots-declare.conf;
include /etc/nginx/conf.d/sec-headers.conf;
listen 443 ssl http2;
However https properly gets reflected but not with https.
curl -I http://www.xxxx.xxx
HTTP/1.1 301 Moved Permanently
Date: Wed, 30 Nov 2022 03:20:23 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.xxxx.xxxx
Server: applox-waf
Content-Security-Policy: default-src 'self'; font-src *;img-src * data:;
script-src *; style-src *;
HTTP/1.1 200 OK
Date: Wed, 30 Nov 2022 03:33:47 GMT
Content-Type: text/html
Content-Length: 37579
Connection: keep-alive
Cache-Control: private
Set-Cookie: ASPSESSIONIDSGSTSTQQ=KOMPLPOCKOFKKCOELBNALAKE; secure; path=/
Server: applox-waf
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
X-Frame-Options: SAMEORIGIN
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295928,295929#msg-295929
Hello!
On Tue, Nov 29, 2022 at 10:35:22PM -0500, blason wrote:
> Well this is particularly I noticed for https vhost config. The CSP headers
> are properly being displayed for http but not https.
>
> Here is my config
>
> more /etc/nginx/conf.d/sec-headers.conf
>
> add_header Content-Security-Policy "default-src 'self'; font-src *;img-src *
> data:; script-src *; style-src *;" always;
>
>
>
> server {
> include /etc/nginx/apploxconf.d/applox-bots-declare.conf;
> include /etc/nginx/conf.d/sec-headers.conf;
> listen 80;
> .
> ..
> .
>
> And here is https
>
> server {
> include /etc/nginx/apploxconf.d/applox-bots-declare.conf;
> include /etc/nginx/conf.d/sec-headers.conf;
> listen 443 ssl http2;
>
>
> However https properly gets reflected but not with https.
Note this sentenced in the documentation
(https://nginx.org/r/add_header):
: These directives are inherited from the previous configuration
: level if and only if there are no add_header directives defined on
: the current level.
Your "add_header" directive is defined on the server level. If
there is a location where you use the "add_header" directive for
something else (such as "Strict-Transport-Security" and other
headers as seen in the https response you've provided), this will
prevent headers from the server level from being added.
To fix this, consider repeating the "add_header" directive again
in the affected locations. Alternatively, define all the
"add_header" directives at the server level and remove them from
locations, so the directives defined at the server level will be
used in all locations.
Hope this helps.
--
Maxim Dounin
http://mdounin.ru/