SEC 1.5: better security policy in nginx.conf

Max Azatian · Max Azatian · commit 95eef8127312 · 2025-07-28T13:14:22.000+02:00
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
@@ -42,7 +42,7 @@ server {
     }
 
     location / {
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-$request_id'; style-src 'self' 'nonce-$request_id'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';";
         add_header X-Frame-Options "SAMEORIGIN";
         add_header X-Content-Type-Options "nosniff";
         add_header Referrer-Policy "strict-origin-when-cross-origin";

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ server {`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`location / {`
`45`		`- add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';";`
	`45`	`+ add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-$request_id'; style-src 'self' 'nonce-$request_id'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';";`
`46`	`46`	`add_header X-Frame-Options "SAMEORIGIN";`
`47`	`47`	`add_header X-Content-Type-Options "nosniff";`
`48`	`48`	`add_header Referrer-Policy "strict-origin-when-cross-origin";`