Anyone using nginx as a reverse proxy figured out the correct syntax to configure style-src?
I would love to see a working CSP add header for CSP
Credit goes to moderator for the pic.
Anyone using nginx as a reverse proxy figured out the correct syntax to configure style-src?
I would love to see a working CSP add header for CSP
Credit goes to moderator for the pic.
Discourse does not send the default-src 'self'
header in your screenshot. So, it’s very likely being introduced by your NGINX proxy config. Can you share that? (making sure to redact any sensitive content)
Yes, that is exactly what is in my add_header Content Security Policy default-src ‘self’;
I can’t actually get to it online right now.
I cant seem to find the magic to set and add style-src and get rid of the errors.
Discourse sets its own CSP header - there is no need to add your own.
So you should either remove this line from your NGINX config, or add a condition to exclude Discourse from it.
Yea, did that, same problem.
As a test I even added unsafe-inline, still same problem with login rendering and group avatars.
If I comment out the policy, it all works as expected…
That’s good. Commenting out the NGINX config means that the CSP header set by Discourse should be passed through
I shall try that and see what securityheaders.com shows. I’ll be back…
Works great, removing CSP from nginx.conf and allowing Discourse to handle it. A+ header rating.
For the life of me, I can’t recall why I decided to go with an nginx install and reverse proxy versus just using out of the box.
This topic was automatically closed after 22 hours. New replies are no longer allowed.