Hello,

I'm new to the forums here and relatively new to Limesurvey. I've setup an instance running with Nginx and just discovered, when attempting to set up a content security policy header, that the basic header breaks Limesurvey...or at least the admin login page. I searched around trying to find some documentation here and this is where I ended up.

I guess I need to add to this:

add_header Content-Security-Policy "default-src 'self';" always;

Thanks in advance for any help available.

Cheers

Jason

Have you tried:
1. configuring CSP to send a report when there are infractions of the policy?
2. checking the browser console for any CSP errors?

With those two tools and visiting every possible page you should be able to detect what you wish to permit in your CSP.

Best to do this without any extensions in your browser, as some of them can inject code in the pages that might trigger CSP errors.

jlhollowell wrote:

Hello,

I'm new to the forums here and relatively new to Limesurvey. I've setup an instance running with Nginx and just discovered, when attempting to set up a content security policy header, that the basic header breaks Limesurvey...or at least the admin login page. I searched around trying to find some documentation here and this is where I ended up.

I guess I need to add to this:

add_header Content-Security-Policy "default-src 'self';" always;

Thanks in advance for any help available.

Cheers

Jason
 

Did you read the topic ?

Clearly written "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
Some post before.

 

Denis,

Thanks for the reply. No, unfortunately, I didn't/don't see the line you are referring to...I see the following:

Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"

Which Nginx does not like and I see a subsequent message that you posted "Seems we need the 'unsafe-eval' … for public part" but the line you provided here " "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" I don't find. Maybe it was deleted...? Or possibly I was supposed to parse it from the longer line I pasted above. Sorry, I'm relatively new to Nginx as well as to Content Security Policy headers...I'll get there but will probably irritate a few people along the way...not by intention of course.

At any rate, I will give it a try and hope for the best.

Regards

Hi,

CSP I came up with was for Apache - I'm not familiar with Nginx either I'm afraid.

The CSP info mostly came from  h5bp / server-configs-apache
There's an Nginx equivalent but the CSP info seems lacking. Not sure if it's helpful.

Also see the section I added to the wiki

Thanks,
Andy

For h5bp ! here : github.com/h5bp/server-configs-nginx/blo...security-policy.conf

Wit params here : github.com/h5bp/server-configs-nginx/blo...fa34/nginx.conf#L107

Must be adapted.