From 1406a95ed03166d45d028e48b410b5391f5d717d Mon Sep 17 00:00:00 2001
From: vchikalkin <djchikalkin@gmail.com>
Date: Sat, 27 Apr 2024 13:46:16 +0300
Subject: [PATCH] nginx.conf: add csp header

---
 config/include/csp.conf | 10 ++++++++++
 config/nginx.auth.conf  |  2 ++
 config/nginx.off.conf   |  3 +++
 3 files changed, 15 insertions(+)
 create mode 100644 config/include/csp.conf

diff --git a/config/include/csp.conf b/config/include/csp.conf
new file mode 100644
index 0000000..f42dc9d
--- /dev/null
+++ b/config/include/csp.conf
@@ -0,0 +1,10 @@
+set $CSP_UPGRADE_INSECURE_REQUESTS "upgrade-insecure-requests;";
+set $CSP_DEFAULT_SRC "default-src https: wss: data: blob: 'self';";
+set $CSP_BASE_URI "base-uri 'self';";
+set $CSP_CONNECT_SRC "connect-src 'self' *.evoleasing.ru wss:;";
+set $CSP_WORKER_SRC "worker-src 'self' blob:;";
+set $CSP_FONT_SRC "font-src 'self' fonts.gstatic.com fonts.googleapis.com;";
+set $CSP_SCRIPT_SRC "script-src 'self';";
+set $CSP_STYLE_SRC "style-src 'self' 'unsafe-inline' fonts.googleapis.com;";
+set $CSP_OBJECT_SRC "object-src 'none';";
+set $CSP_FRAME_ANCESTORS "frame-ancestors 'none';";
\ No newline at end of file
diff --git a/config/nginx.auth.conf b/config/nginx.auth.conf
index c68c874..ec9b102 100644
--- a/config/nginx.auth.conf
+++ b/config/nginx.auth.conf
@@ -21,6 +21,7 @@ upstream app {
 server {
     listen                       80;
     include                      /etc/nginx/mime.types;
+    include                      /etc/nginx/include/csp.conf;
 
     error_page                   401 /login;
 
@@ -56,6 +57,7 @@ server {
 
         include                  /etc/nginx/include/auth.conf;
 
+        add_header               Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
     }
 
     location = /health {
diff --git a/config/nginx.off.conf b/config/nginx.off.conf
index 214e006..ab6edc0 100644
--- a/config/nginx.off.conf
+++ b/config/nginx.off.conf
@@ -8,6 +8,7 @@ upstream app {
 server {
     listen                  80;
     include                 /etc/nginx/mime.types;
+    include                 /etc/nginx/include/csp.conf;
 
     location / {
         proxy_pass          http://app;
@@ -17,6 +18,8 @@ server {
         proxy_set_header    Connection 'upgrade';
         proxy_set_header    Host $host;
         proxy_cache_bypass  $http_upgrade;
+
+        add_header          Content-Security-Policy "$CSP_UPGRADE_INSECURE_REQUESTS $CSP_DEFAULT_SRC $CSP_BASE_URI $CSP_CONNECT_SRC $CSP_WORKER_SRC $CSP_FONT_SRC $CSP_SCRIPT_SRC $CSP_STYLE_SRC $CSP_OBJECT_SRC $CSP_FRAME_ANCESTORS";
     }
 
     location = /health {