I have an issue with content security policy headers. Scripts and styles are blocked.
It seams that nginx is overloading my express headers.
I tried a lot and my last state is this.
nginx server block
...
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
....
express setup (domain name is changed to example.com)
const express = require('express');
const lusca = require('lusca');
const app = express();
...
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
app.use(
lusca.csp({
policy: {
"default-src": "'self' *.example.com",
"img-src": "*"
}
})
);
...
In the browser console I get this:
content security policy the page’s settings blocked the loading of a resource at ("default-src")
content security policy the page’s settings blocked the loading of a resource at ("script-src")
content security policy the page’s settings blocked the loading of a resource at ("style-src")
In broswsers answer field (csp is twice!):
content-security-policy: default-src 'self' *.example.com; img-src *
content-security-policy: default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';
Does anyone have an idea why this configuration is not working? Or how to tell nginx to use express's headers and hold down the own?
I solved it by adding proxy_pass_header
to the nginx server block:
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
// THIS DIRECTIVE SOLVED IT
proxy_pass_header content-security-policy;
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.