Nginx Content Security Policy Example Syntax For Normal Websites

Abhishek Ghosh

By Abhishek Ghosh September 6, 2016 12:05 am Updated on September 6, 2016

Nginx Content Security Policy Example Syntax For Normal Websites

We discussed about Content Security Policy before – Content Security Policy for adding report-uri. Readers are complaining that many sites are proving snippets which are throwing odd errors in Nginx, like nginx: [emerg] invalid number of arguments in “add_header”, nginx: [emerg] invalid parameter “self”, nginx: [emerg] unexpected “s”. So, Here is Nginx Content Security Policy Example Syntax For Normal Websites Which Will Not Throw Any Error.

Before Implementing Nginx Content Security Policy Example

You Can Use With Nginx Content Security Policy Example on Normal Website Only the Report Only Function. Honestly, you can not use Content Security Policy with Google AdSense or any Third Party Ads. It is an impractical idea to add header to prevent XSS attack. With so many browsers and devices, except loading webpage from 1 -2 sources it is just not possible. We are giving example of both.

Nginx Content Security Policy Example

Those websites providing wrong syntax for Nginx. This is a common way to add any header on Nginx :

add_header 'Your-Header-Name' 'header-policy value; pass-url https://thecustomizewindows.com';

1	add_header 'Your-Header-Name' 'header-policy value; pass-url https://thecustomizewindows.com';

The above will give this output upon curl -I header checking :

Your-Header-Name: header-policy value; pass-url https://thecustomizewindows.com

1	Your-Header-Name: header-policy value; pass-url https://thecustomizewindows.com

In that way, this is a perfect clean Nginx Content Security Policy Example :

add_header 'Content-Security-Policy' 'default-src self https; report-uri https://thecustomizewindows.com/';

1	add_header 'Content-Security-Policy' 'default-src self https; report-uri https://thecustomizewindows.com/';

You will get all resources on :

https://report-uri.io

1	https://report-uri.io

… just register and use the tool. Suppose the web software suggested this :

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src *; style-src *; ing-src *; font-src *; connect-src *; media-src *; object-src *; child-src *; frame-src *; worker-src *; frame-ancestors *; form-action *; upgrade-insecure-requests; sandbox allow-forms allow-same-origin allow-scripts allow-top-navigation allow-popups allow-pointer-lock; reflected-css block; base-url thecustomizewindows.com:443; manifest-src *; referrer no-referrer-when-downgrade; require-sri-for script style;

1

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src *; style-src *; ing-src *; font-src *; connect-src *; media-src *; object-src *; child-src *; frame-src *; worker-src *; frame-ancestors *; form-action *; upgrade-insecure-requests; sandbox allow-forms allow-same-origin allow-scripts allow-top-navigation allow-popups allow-pointer-lock; reflected-css block; base-url thecustomizewindows.com:443; manifest-src *; referrer no-referrer-when-downgrade; require-sri-for script style;

You can make it to this for nginx:

add_header 'Content-Security-Policy' 'default-src self unsafe-inline unsafe-eval; script-src *; style-src *; ing-src *; font-src *; connect-src *; media-src *; object-src *; child-src *; frame-src *; worker-src *; frame-ancestors *; form-action *; upgrade-insecure-requests; sandbox allow-forms allow-same-origin allow-scripts allow-top-navigation allow-popups allow-pointer-lock; reflected-css block; base-url thecustomizewindows.com:443; manifest-src *; referrer no-referrer-when-downgrade; require-sri-for script style';

1

add_header 'Content-Security-Policy' 'default-src self unsafe-inline unsafe-eval; script-src *; style-src *; ing-src *; font-src *; connect-src *; media-src *; object-src *; child-src *; frame-src *; worker-src *; frame-ancestors *; form-action *; upgrade-insecure-requests; sandbox allow-forms allow-same-origin allow-scripts allow-top-navigation allow-popups allow-pointer-lock; reflected-css block; base-url thecustomizewindows.com:443; manifest-src *; referrer no-referrer-when-downgrade; require-sri-for script style';

It will avoid this error :

nginx: [emerg] unexpected "s" in /etc/nginx/sites-enabled/default

1	nginx: [emerg] unexpected "s" in /etc/nginx/sites-enabled/default

However, with the above some browsers may not allow anything expect text to load. We have tested may ways to only use Nginx Content Security Policy for protecting for XSS on websites with Third Party Ads running, has CDN. It is just not possible. Safari will load webpage without CSS, Images. Even this (notice default-src * unsafe-inline unsafe-eval) :

---

add_header 'Content-Security-Policy' 'default-src * unsafe-inline unsafe-eval; script-src *; style-src *; ing-src *; font-src *; connect-src *; media-src *; object-src *; child-src *; frame-src *; worker-src *; frame-ancestors *; form-action *; upgrade-insecure-requests; sandbox allow-forms allow-same-origin allow-scripts allow-top-navigation allow-popups allow-pointer-lock; reflected-css block; base-url thecustomizewindows.com:443; manifest-src *; referrer no-referrer-when-downgrade; require-sri-for script style';

1

add_header 'Content-Security-Policy' 'default-src * unsafe-inline unsafe-eval; script-src *; style-src *; ing-src *; font-src *; connect-src *; media-src *; object-src *; child-src *; frame-src *; worker-src *; frame-ancestors *; form-action *; upgrade-insecure-requests; sandbox allow-forms allow-same-origin allow-scripts allow-top-navigation allow-popups allow-pointer-lock; reflected-css block; base-url thecustomizewindows.com:443; manifest-src *; referrer no-referrer-when-downgrade; require-sri-for script style';

…forces not to load any Google Ads on Safari.

Nginx Content Security Policy Example Syntax For Normal Websites

Nginx Content Security Policy Report Only Example (This is What You Can Use)

We are using this :

add_header 'Content-Security-Policy-Report-Only' 'default-src self https:; report-uri https://abhishekghosh.report-uri.io/r/default/csp/reportOnly';

1	add_header 'Content-Security-Policy-Report-Only' 'default-src self https:; report-uri https://abhishekghosh.report-uri.io/r/default/csp/reportOnly';

If you run :

curl -I -s https://thecustomizewindows.com | grep "Content-Security-Policy-Report-Only"

1	curl -I -s https://thecustomizewindows.com \| grep "Content-Security-Policy-Report-Only"

You will get :

Content-Security-Policy-Report-Only: default-src self https:; report-uri https://abhishekghosh.report-uri.io/r/default/csp/reportOnly

1	Content-Security-Policy-Report-Only: default-src self https:; report-uri https://abhishekghosh.report-uri.io/r/default/csp/reportOnly

The above is safe for your website as webmaster to apply on whole website. Except reporting it has no action. That method of reporting is not exactly easy though.

Use Content Security Policy Dynamically, Not One Rule For Whole Website

Checkout pages, payment pages needs more security. You can inject the restricted header on the must be under microscope webpages. WordPress /wp-login.php is one such webpage, if you have PHPMyAdmin, that is important to filter. You can use PHP to pass the header.

Tagged With Content Security Policy report-uri webforms , no-referrer-when-downgrade nginx

About Abhishek Ghosh

Here’s what we’ve got for you which might like :

Take The Conversation Further ...