nginx.conf: add csp header

config/include/csp.conf

@@ -0,0 +1,10 @@
+set $CSP_UPGRADE_INSECURE_REQUESTS "upgrade-insecure-requests;";
+set $CSP_DEFAULT_SRC "default-src https: wss: data: blob: 'self';";
+set $CSP_BASE_URI "base-uri 'self';";
+set $CSP_CONNECT_SRC "connect-src 'self' *.evoleasing.ru wss:;";
+set $CSP_WORKER_SRC "worker-src 'self' blob:;";
+set $CSP_FONT_SRC "font-src 'self' fonts.gstatic.com fonts.googleapis.com;";
+set $CSP_SCRIPT_SRC "script-src 'self';";
+set $CSP_STYLE_SRC "style-src 'self' 'unsafe-inline' fonts.googleapis.com;";
+set $CSP_OBJECT_SRC "object-src 'none';";
+set $CSP_FRAME_ANCESTORS "frame-ancestors 'none';";

config/nginx.auth.conf

@@ -21,6 +21,7 @@ upstream app {
 server {
     listen                       80;
     include                      /etc/nginx/mime.types;
+    include                      /etc/nginx/include/csp.conf;
 
     error_page                   401 /login;
 
@@ -56,6 +57,7 @@ server {
 
         include                  /etc/nginx/include/auth.conf;
 
+        add_header               Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
     }
 
     location = /health {

config/nginx.off.conf

@@ -8,6 +8,7 @@ upstream app {
 server {
     listen                  80;
     include                 /etc/nginx/mime.types;
+    include                 /etc/nginx/include/csp.conf;
 
     location / {
         proxy_pass          http://app;
@@ -17,6 +18,8 @@ server {
         proxy_set_header    Connection 'upgrade';
         proxy_set_header    Host $host;
         proxy_cache_bypass  $http_upgrade;
+
+        add_header          Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
     }
 
     location = /health {