Hi everyone,
I'm using nginx/1.6.2 on a GNU/Linux Debian (Jessie) system and hosting a WordPress site.
The 'generel' CSP header I use is:
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'";
But for a specific WordPress site I want to you use a different CSP header:
Right now this is my (not workding) solution:
location = /site/ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
}
This ends in a "404 Not Found" error.
But this works:
location = /site/ {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
include /etc/nginx/conf/php5-ssl.conf;
}
But this means, that every site is getting the new CSP header.
Question is, how can I achieve to rewrite the CSP header only for the specific site?
Something like:
location = /site/ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
try_files ???;
}
Maybe someone can help me with this one.
Cheers!
I'm using nginx/1.6.2 on a GNU/Linux Debian (Jessie) system and hosting a WordPress site.
The 'generel' CSP header I use is:
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'";
But for a specific WordPress site I want to you use a different CSP header:
Right now this is my (not workding) solution:
location = /site/ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
}
This ends in a "404 Not Found" error.
But this works:
location = /site/ {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
include /etc/nginx/conf/php5-ssl.conf;
}
But this means, that every site is getting the new CSP header.
Question is, how can I achieve to rewrite the CSP header only for the specific site?
Something like:
location = /site/ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
try_files ???;
}
Maybe someone can help me with this one.
Cheers!