From 83d3101fa9805cd6ad6fccf6aa41409edeb029f8 Mon Sep 17 00:00:00 2001 From: Timmy Willison Date: Sat, 24 Aug 2024 10:48:49 -0400 Subject: [PATCH] nginx: add Content-Security-Policy-Report-Only header to all non-wordpress content sites (#57) Fixes gh-54 --- modules/profile/templates/contentorigin/site.nginx.erb | 3 +++ modules/profile/templates/gruntjscom/site.nginx.erb | 3 +++ modules/profile/templates/miscweb/site.nginx.erb | 3 +++ 3 files changed, 9 insertions(+) diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb index a1d653a..4c352aa 100644 --- a/modules/profile/templates/contentorigin/site.nginx.erb +++ b/modules/profile/templates/contentorigin/site.nginx.erb @@ -13,6 +13,9 @@ server { server_tokens off; + # Add Content Security Policy headers + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/"; + location / { root /srv/www/content.jquery.com; diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb index 4d16781..735e8d5 100644 --- a/modules/profile/templates/gruntjscom/site.nginx.erb +++ b/modules/profile/templates/gruntjscom/site.nginx.erb @@ -12,6 +12,9 @@ server { error_log /var/log/nginx/error.log crit; server_tokens off; + # Add Content Security Policy headers + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/"; + location / { proxy_pass http://localhost:<%= @backend_port %>; proxy_redirect off; diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb index 633e10e..fd8d111 100644 --- a/modules/profile/templates/miscweb/site.nginx.erb +++ b/modules/profile/templates/miscweb/site.nginx.erb @@ -18,6 +18,9 @@ server { root /srv/www/<%= @fqdn %><%= @site['webroot'] or '' %>; + # Add Content Security Policy headers + add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/"; + <%- if @site['allow_php'] -%> index index.php index.html; try_files $uri $uri/ /index.php$is_args$args;