Anyone using nginx as a reverse proxy figured out the correct syntax to configure style-src?
I would love to see a working CSP add header for CSP
Credit goes to moderator for the pic.
Discourse does not send the default-src 'self' header in your screenshot. So, it’s very likely being introduced by your NGINX proxy config. Can you share that? (making sure to redact any sensitive content)
1 Like
Yes, that is exactly what is in my add_header Content Security Policy default-src ‘self’;
I can’t actually get to it online right now.
I cant seem to find the magic to set and add style-src and get rid of the errors.
Discourse sets its own CSP header - there is no need to add your own.
So you should either remove this line from your NGINX config, or add a condition to exclude Discourse from it.
Yea, did that, same problem.
As a test I even added unsafe-inline, still same problem with login rendering and group avatars.
If I comment out the policy, it all works as expected…
That’s good. Commenting out the NGINX config means that the CSP header set by Discourse should be passed through 
3 Likes
I shall try that and see what securityheaders.com shows. I’ll be back…
Works great, removing CSP from nginx.conf and allowing Discourse to handle it. A+ header rating.
For the life of me, I can’t recall why I decided to go with an nginx install and reverse proxy versus just using out of the box.
1 Like
This topic was automatically closed after 22 hours. New replies are no longer allowed.