fix(csp): remove duplicate CSP from nginx and allow Cloudflare Turnstile
- Updated backend/src/app.js to allow Cloudflare domains in CSP - Added https://challenges.cloudflare.com to scriptSrc - Added https://challenges.cloudflare.com to connectSrc - Added https://challenges.cloudflare.com to frameSrc - Removed duplicate CSP from nginx/conf.d.prod/default.conf - CSP is now managed only by backend Helmet middleware - Prevents conflicting security policies
This commit is contained in:
Radosław Gierwiało
@@ -12,16 +12,13 @@ server {
|
|||||||
|
|
||||||
client_max_body_size 500M;
|
client_max_body_size 500M;
|
||||||
|
|
||||||
# Security headers
|
# Security headers (CSP is set by backend Helmet middleware)
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||||
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
|
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
|
||||||
|
|
||||||
# Strict Content Security Policy for production
|
|
||||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss:; media-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';" always;
|
|
||||||
|
|
||||||
# Block access to sensitive files and directories
|
# Block access to sensitive files and directories
|
||||||
location ~ /\. {
|
location ~ /\. {
|
||||||
deny all;
|
deny all;
|
||||||
|
|||||||
Reference in New Issue
Block a user