Ad

Content Security Policy (csp) Issue For Subdomain With Nginx As Reverse Proxy And Node Express As Backand

I have an issue with content security policy headers. Scripts and styles are blocked.

It seams that nginx is overloading my express headers.

I tried a lot and my last state is this.

nginx server block

...
location / {
    proxy_pass http://127.0.0.1:3000;
    proxy_http_version 1.1;
    proxy_cache_bypass $http_upgrade;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_set_header x-real-ip $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;
}
....

express setup (domain name is changed to example.com)

const express = require('express');
const lusca = require('lusca');
const app = express();
...
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
app.use(
  lusca.csp({
    policy: {
      "default-src": "'self' *.example.com",
      "img-src": "*"
    }
  })
);
...

In the browser console I get this:

content security policy the page’s settings blocked the loading of a resource at ("default-src")
content security policy the page’s settings blocked the loading of a resource at ("script-src")
content security policy the page’s settings blocked the loading of a resource at ("style-src")

In broswsers answer field (csp is twice!):

content-security-policy: default-src 'self' *.example.com; img-src *
content-security-policy: default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';

Does anyone have an idea why this configuration is not working? Or how to tell nginx to use express's headers and hold down the own?

Ad

Answer

I solved it by adding proxy_pass_header to the nginx server block:

location / {
    proxy_pass http://127.0.0.1:3000;
    proxy_http_version 1.1;
    proxy_cache_bypass $http_upgrade;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_set_header x-real-ip $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;

    // THIS DIRECTIVE SOLVED IT
    proxy_pass_header content-security-policy;
}
Ad
source: stackoverflow.com
Ad