CSP and headers
Paul
paul at stormy.ca
Mon Aug 26 20:50:55 UTC 2024
[specifically to the new/freenginx list]
We've used nginx (currently stable 1.18.0 (Ubuntu)) ahead of apache2 for
a long time, happy. This is in production, some 800k transactions per
day -- not huge, but...
Reverted to a backup server yesterday (maintenance) and had embedded
pdf's fail. Backup was supposed to be identical, but had a single diff:
add_header Content-Security-Policy "frame-ancestors 'none'"; screwed up
several thousand embedded pdf files. My can of worms, now corrected.
QUESTIONS: What is best CSP policy for what most user browsers seem to
expect? Opera and Mac had no problem, Firefox and Chrome are more
sensitive. <META tags appear to be approaching black-magic and
Google/Mozilla/Chrome are rude about them.
Is there a security (CSP?) related nginx "paper" on best industry
standards? I've read various github and others, but am looking for
nginx. Maybe missed something obvious?
Tnx and br,
Paul
\\\||//
(@ @)
ooO_(_)_Ooo__________________________________
|______|_____|_____|_____|_____|_____|_____|_____|
|___|____|_____|_____|_____|_____|_____|_____|____|
|_____|_____| mailto:paul at stormy.ca _|____|____|
More information about the nginx
mailing list