Comments (1)
jamesmacwhite
commented on May 29, 2024
I would personally not set a Content-Security-Policy header in this module. The reason being is many CSP headers are tailored to the specific app, some services may provide their own policy in the code base without having to set it in NGINX. Some can be stricter than others as well while others may need unsafe-inline. You won't be able to set a suitable CSP policy that fits every scenario, or if you do, you'll like downgrade the security of CSP for some applications, if they can be stricter than others but you'll essentially bring others down to the lowest level.
The simplicity of having security_headers on in the http block is nice, but I don't think it's feasible for CSP. I think it is acceptable that the CSP header has to be added per virtualhost or even location block in some cases. It is the best for security of that service/application.
You could add documentation on the header in the README.md, but I think this module shouldn't add the header itself. Even with a default value, it's going to cause more problems than it solves I think.
from ngx_security_headers.
Related Issues (17)
- Conflicts with ModSecurity HOT 4
- Not able to install through yum. HOT 1
- Strict-Transport-Security header not being added on SSL requests HOT 8
- Strict-Transport-Security: Preloading should be opt-in HOT 2
- Strict-Transport-Security: Preloading doesn't work HOT 2
- Feature Request: Additional Cross-Origin headers (COOP CORP, COEP)
- X-XSS-Protection: 0 is recommended by Mozilla and Google HOT 2
- Rewrite Referrer-Policy header HOT 2
- Missing ".configure" file for compiling on Ubuntu HOT 1
- add custom header
- Hide all irrelevant headers by default
- release prebuilt package in apt repository HOT 6
- Hide cache headers
- Header access control
- not find ngx_http_security_headers_module.so HOT 1
- How to use it on Windows's nginx? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ngx_security_headers.