Nginx as reverse proxy and Content Security Policy issue

Anyone using nginx as a reverse proxy figured out the correct syntax to configure style-src?

I would love to see a working CSP add header for CSP

Credit goes to moderator for the pic.

1 Like

Discourse does not send the default-src 'self' header in your screenshot. So, it’s very likely being introduced by your NGINX proxy config. Can you share that? (making sure to redact any sensitive content)

1 Like

Yes, that is exactly what is in my add_header Content Security Policy default-src ‘self’;

I can’t actually get to it online right now.

I cant seem to find the magic to set and add style-src and get rid of the errors.

Discourse sets its own CSP header - there is no need to add your own.

So you should either remove this line from your NGINX config, or add a condition to exclude Discourse from it.

Yea, did that, same problem.

As a test I even added unsafe-inline, still same problem with login rendering and group avatars.

If I comment out the policy, it all works as expected…

That’s good. Commenting out the NGINX config means that the CSP header set by Discourse should be passed through :tada:

3 Likes

I shall try that and see what securityheaders.com shows. I’ll be back…

Works great, removing CSP from nginx.conf and allowing Discourse to handle it. A+ header rating.
For the life of me, I can’t recall why I decided to go with an nginx install and reverse proxy versus just using out of the box.

1 Like

This topic was automatically closed after 22 hours. New replies are no longer allowed.