Nginx: switch the default CSP mode to report-only for now

Author: djbe

README.md

@@ -22,8 +22,8 @@ Images with `nginx` can be configured using the following environment variables.
 ### Content Security Policy
 
 You can control the CSP behaviour with the `NGINX_CSP_MODE` key:
-- `enforce` (default): Configure the `Content-Security-Policy` header.
-- `report-only`: Instead configure the `Content-Security-Policy-Report-Only` header.
+- `enforce`: Configure the `Content-Security-Policy` header.
+- `report-only` (default): Instead configure the `Content-Security-Policy-Report-Only` header.
 
 Note: the following fetch & navigation CSP keys can also be set via an embedded file located at `/etc/csp-generator/default`.
 

common/scripts/startup/50-env-configure-nginx-csp.sh

@@ -14,14 +14,14 @@ set -euo pipefail
 # `NGINX_CSP_…`, like `NGINX_CSP_CHILD_SRC`.
 #
 # Inputs (aside from all the individual CSP settings):
-# - NGINX_CSP_MODE: defaults to 'enforce'
+# - NGINX_CSP_MODE: defaults to 'report-only'
 # - NGINX_CSP_REPORT_URI: defaults to ''
 # - NGINX_FRAME_OPTIONS: defaults to 'deny', note that setting to `disable` removes the header completely.
 
 # Set defaults
 NGINX_CONFIG_FILE='/etc/nginx/snippets/vars/csp-and-robots.conf'
 NGINX_CSP_ITEMS='child-src connect-src font-src form-action frame-ancestors frame-src img-src manifest-src media-src object-src require-trusted-types-for script-src style-src trusted-types worker-src'
-NGINX_CSP_MODE="${NGINX_CSP_MODE:-enforce}"
+NGINX_CSP_MODE="${NGINX_CSP_MODE:-report-only}"
 NGINX_CSP_REPORT_URI="${NGINX_CSP_REPORT_URI:-}"
 NGINX_FRAME_OPTIONS="${NGINX_FRAME_OPTIONS:-deny}"
 

tests/nuxt-base/final/csp/env.properties

@@ -14,6 +14,6 @@ NGINX_CSP_STYLE_SRC="https://styles.environment.com data: 'unsafe-inline'"
 NGINX_CSP_TRUSTED_TYPES="environment-foo env-bar"
 NGINX_CSP_WORKER_SRC="https://workers.environment.com data:"
 
-NGINX_CSP_MODE=report-only
+NGINX_CSP_MODE=enforce
 NGINX_CSP_REPORT_URI=https://sentry.appwi.se/api/347/security/?sentry_key=foo123
 NGINX_FRAME_OPTIONS=sameorigin

tests/nuxt-base/final/csp/goss.yaml

@@ -3,7 +3,7 @@ http:
   check envs and secrets:
     headers:
       - >-
-        Content-Security-Policy-Report-Only:
+        Content-Security-Policy:
         default-src 'self';
         child-src https://children.embedded.com 'self' https://children.environment.com data:;
         connect-src https://connection.embedded.com 'self' https://connection.environment.com data:;

tests/nuxt-base/final/default/goss.yaml

@@ -5,7 +5,7 @@ http:
     body:
       - 'Hey from index.mjs'
     headers:
-      - 'Content-Security-Policy: default-src ''self'';'
+      - 'Content-Security-Policy-Report-Only: default-src ''self'';'
       - 'Cross-Origin-Opener-Policy: same-origin'
       - 'Cross-Origin-Resource-Policy: same-origin'
       - 'Permissions-Policy: interest-cohort=()'

tests/payload-base/final/csp/env.properties

@@ -14,6 +14,6 @@ NGINX_CSP_STYLE_SRC="https://styles.environment.com data: 'unsafe-inline'"
 NGINX_CSP_TRUSTED_TYPES="environment-foo env-bar"
 NGINX_CSP_WORKER_SRC="https://workers.environment.com data:"
 
-NGINX_CSP_MODE=report-only
+NGINX_CSP_MODE=enforce
 NGINX_CSP_REPORT_URI=https://sentry.appwi.se/api/347/security/?sentry_key=foo123
 NGINX_FRAME_OPTIONS=sameorigin

tests/payload-base/final/csp/goss.yaml

@@ -3,7 +3,7 @@ http:
   check envs and secrets:
     headers:
       - >-
-        Content-Security-Policy-Report-Only:
+        Content-Security-Policy:
         default-src 'self';
         child-src https://children.embedded.com 'self' https://children.environment.com data:;
         connect-src https://connection.embedded.com 'self' https://connection.environment.com data:;

tests/payload-base/final/default/goss.yaml

@@ -5,7 +5,7 @@ http:
     body:
       - 'Hey from server.js'
     headers:
-      - 'Content-Security-Policy: default-src ''self'';'
+      - 'Content-Security-Policy-Report-Only: default-src ''self'';'
       - 'Cross-Origin-Opener-Policy: same-origin'
       - 'Cross-Origin-Resource-Policy: same-origin'
       - 'Permissions-Policy: interest-cohort=()'

tests/php-base/fpm/csp/env.properties

@@ -14,6 +14,6 @@ NGINX_CSP_STYLE_SRC="https://styles.environment.com data: 'unsafe-inline'"
 NGINX_CSP_TRUSTED_TYPES="environment-foo env-bar"
 NGINX_CSP_WORKER_SRC="https://workers.environment.com data:"
 
-NGINX_CSP_MODE=report-only
+NGINX_CSP_MODE=enforce
 NGINX_CSP_REPORT_URI=https://sentry.appwi.se/api/347/security/?sentry_key=foo123
 NGINX_FRAME_OPTIONS=sameorigin

tests/php-base/fpm/csp/goss.yaml

@@ -3,7 +3,7 @@ http:
   check envs and secrets:
     headers:
       - >-
-        Content-Security-Policy-Report-Only:
+        Content-Security-Policy:
         default-src 'self';
         child-src https://children.embedded.com 'self' https://children.environment.com data:;
         connect-src https://connection.embedded.com 'self' https://connection.environment.com data:;