Denis,

Thanks for the reply. No, unfortunately, I didn't/don't see the line you are referring to...I see the following:

Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"

Which Nginx does not like and I see a subsequent message that you posted "Seems we need the 'unsafe-eval' … for public part" but the line you provided here " "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" I don't find. Maybe it was deleted...? Or possibly I was supposed to parse it from the longer line I pasted above. Sorry, I'm relatively new to Nginx as well as to Content Security Policy headers...I'll get there but will probably irritate a few people along the way...not by intention of course.

At any rate, I will give it a try and hope for the best.

Regards

Hi,

CSP I came up with was for Apache - I'm not familiar with Nginx either I'm afraid.

The CSP info mostly came from  h5bp / server-configs-apache
There's an Nginx equivalent but the CSP info seems lacking. Not sure if it's helpful.

Also see the section I added to the wiki

Thanks,
Andy

For h5bp ! here : github.com/h5bp/server-configs-nginx/blo...security-policy.conf

Wit params here : github.com/h5bp/server-configs-nginx/blo...fa34/nginx.conf#L107

Must be adapted.