Nginx: provide mechanism to switch CSP mode

Author: djbe

README.md

@@ -14,6 +14,10 @@ Images with `nginx` can be configured using the following environment variables.
 
 ### Content Security Policy
 
+You can control the CSP behaviour with the `NGINX_CSP_MODE` key:
+- `enforce` (default): Configure the `Content-Security-Policy` header.
+- `report-only`: Instead configure the `Content-Security-Policy-Report-Only` header.
+
 Fetch:
 
 | Environment Key | Applied | Description | Default |

common/scripts/startup/env-configure-security.sh

@@ -5,13 +5,25 @@ set -euo pipefail
 # Configure nginx security based on ENV vars.
 #
 # Inputs (aside from all the individual CSP settings):
+# - NGINX_CSP_MODE: defaults to 'enforce'
 # - NGINX_CSP_REPORT_URI: defaults to ''
 # - NGINX_FRAME_OPTIONS: defaults to 'deny', note that setting to `disable` removes the header completely.
 
 # Set defaults
+NGINX_CSP_MODE="${NGINX_CSP_MODE:-enforce}"
 NGINX_CSP_REPORT_URI="${NGINX_CSP_REPORT_URI:-}"
 NGINX_FRAME_OPTIONS="${NGINX_FRAME_OPTIONS:-deny}"
 
+# Validate input
+if [ "${NGINX_CSP_MODE}" = 'enforce' ]; then
+  NGINX_CSP_HEADER_NAME='Content-Security-Policy'
+elif [ "${NGINX_CSP_MODE}" = 'report-only' ]; then
+  NGINX_CSP_HEADER_NAME='Content-Security-Policy-Report-Only'
+else
+  echo "Nginx: invalid CSP mode ${NGINX_CSP_MODE}"
+  exit 1
+fi
+
 # Check nginx structure
 if [ ! -d /etc/nginx/site-mods-enabled.d/ ]; then
   echo "Nginx: site-mods-enabled folder is missing, skipping security…"
@@ -29,7 +41,7 @@ fi
 # nginx content policy
 echo "Nginx: configuring content security policy…"
 cat <<EOF >> /etc/nginx/site-mods-enabled.d/00-generated-security.conf
-add_header 'Content-Security-Policy' "\
+add_header '${NGINX_CSP_HEADER_NAME}' "\
 default-src 'self'; \
 child-src ${NGINX_CSP_CHILD_SRC:-}; \
 connect-src ${NGINX_CSP_CONNECT_SRC:-}; \