diff --git a/confs/content-security-policy.conf b/confs/content-security-policy.conf new file mode 100644 index 0000000..11e3338 --- /dev/null +++ b/confs/content-security-policy.conf @@ -0,0 +1 @@ +more_set_headers "Content-Security-Policy: %CONTENT_SECURITY_POLICY%"; diff --git a/confs/server.conf b/confs/server.conf index 514093f..88302c0 100644 --- a/confs/server.conf +++ b/confs/server.conf @@ -17,7 +17,7 @@ server { %X_FRAME_OPTIONS% %X_XSS_PROTECTION% %X_CONTENT_TYPE_OPTIONS% - # TODO : CSP + %CONTENT_SECURITY_POLICY% %REFERRER_POLICY% %FEATURE_POLICY% %BLOCK_COUNTRY% diff --git a/entrypoint.sh b/entrypoint.sh index 3cfd3f1..2d49e4d 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -54,6 +54,7 @@ PHP_FILE_UPLOADS="${PHP_FILE_UPLOADS:-yes}" PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE:-10M}" PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}" USE_MODSECURITY="${USE_MODSECURITY:-yes}" +CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}" # replace values replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE" @@ -215,6 +216,13 @@ if [ "$ERRORS" != "" ] ; then else replace_in_file "/etc/nginx/server.conf" "%ERRORS%" "" fi +if [ "$CONTENT_SECURITY_POLICY" != "" ] ; then + replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "include /etc/nginx/content-security-policy.conf;" + replace_in_file "/etc/nginx/content-security-policy.conf" "%CONTENT_SECURITY_POLICY%" "$CONTENT_SECURITY_POLICY" +else + replace_in_file "/etc/nginx/server.conf" "%CONTENT_SECURITY_POLICY%" "" +fi + # start PHP if [ "$USE_PHP" = "yes" ] ; then