nginx content security policy header


In this post I will share how we can protect our site if we use nginx for a web server.

Led by Scott Helme for CSP, I started to test the CSP header of I used his tool and finally achieved the desired result – A + 🙂

nginx content security policy header


nginx content security policy header

In the virtual host of our site we add the following lines after location /

add_header Content-Security-Policy "block-all-mixed-content; frame-ancestors 'self';"; 
add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'; report-uri";

I made a report on the site and so I started collecting information from my webserver for XSS attacks, web server configuration errors, monitoring and everything else related to the new web standards.

I personally have a bit of luck with the addition of redundant header, but almost all of them are for protection 🙂

HTTP/2 200 
date: Wed, 17 Oct 2018 07:13:17 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: PHPSESSID=d2lar8sp9vq24752mip9lu31ls; path=/; secure; HttpOnly
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: 🐧
link:; rel=""
link:; rel=shortlink
server: rws
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-cache: HIT
x-xss-protection: 1; mode=block; report=
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
p3p: Can I help you? Contact me via, CP=CAO ADMa DEVa IND PHY ONL UNI COM LOC
feature-policy: sync-xhr 'self'
content-security-policy: block-all-mixed-content; frame-ancestors 'self';
content-security-policy-report-only: default-src https: data: 'unsafe-inline' 'unsafe-eval'; report-uri
referrer-policy: no-referrer-when-downgrade
expect-ct: enforce; max-age=86400; report-uri=
x-app-server: gevi
x-slogan: Respect is earned, not given!

Thats it!