Content Security Policy Configuration

Wiki

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.

Allow everything but only from the same origin:

default-src 'self';

Only Allow Scripts from the same origin:

script-src 'self';

Allow Google Analytics, Google AJAX CDN and same Origin:

script-src 'self' www.google-analytics.com ajax.googleapis.com;

Nginx Content Security Policy Configuration

Add following config to server section:

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; script-src 'self' www.google-analytics.com ajax.googleapis.com;";
  • Starter Policy

This policy allows images, scripts, AJAX, and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc). It is a good starting point for many sites.

default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
  • X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

The added security is only provided if the user accessing the document is using a browser supporting X-Frame-Options.

There are three possible directives for X-Frame-Options:

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

add_header X-Frame-Options SAMEORIGIN;

If you got error like this: Multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, DENY') encountered when loading 'https://example.com'. Falling back to 'DENY'.

Set Nginx ignore the corresponding response headers in PHP

fastcgi_hide_header X-Frame-Options; # FastCGI Mode
proxy_hide_header   X-Frame-Options; # Proxy Mode

Reference Content Security Policy (CSP) Quick Reference Guide

Content Security Policy Configuration
4 votes, 5.00 avg. rating (98% score)