nginx: add Content-Security-Policy-Report-Only header to all non-wordpress content sites (#57)

timmywil · web-flow · commit 83d3101fa980 · 2024-08-24T10:48:49.000-04:00
Fixes gh-54
diff --git a/modules/profile/templates/contentorigin/site.nginx.erb b/modules/profile/templates/contentorigin/site.nginx.erb
@@ -13,6 +13,9 @@ server {
 
   server_tokens off;
 
+  # Add Content Security Policy headers
+  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
+
   location / {
     root /srv/www/content.jquery.com;
 
diff --git a/modules/profile/templates/gruntjscom/site.nginx.erb b/modules/profile/templates/gruntjscom/site.nginx.erb
@@ -12,6 +12,9 @@ server {
   error_log     /var/log/nginx/error.log crit;
   server_tokens off;
 
+  # Add Content Security Policy headers
+  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
+
   location / {
     proxy_pass http://localhost:<%= @backend_port %>;
     proxy_redirect off;
diff --git a/modules/profile/templates/miscweb/site.nginx.erb b/modules/profile/templates/miscweb/site.nginx.erb
@@ -18,6 +18,9 @@ server {
 
   root /srv/www/<%= @fqdn %><%= @site['webroot'] or '' %>;
 
+  # Add Content Security Policy headers
+  add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/";
+
 <%- if @site['allow_php'] -%>
   index index.php index.html;
   try_files $uri $uri/ /index.php$is_args$args;
