1

I am attempting to create a strong and secure content-security-policy in nginx, running a wordpress based LEMP Server. I believe I am using the ngx_pagespeed.so module, and have implemented FastCGI on my server. I believe one of these features renders my jpeg images into webP images on the fly.

In my content-security-policy directive on Nginx, I am attempting to eliminate XSS attacks, while still embracing the use of webP images created by either the pagespeed module or FastCGI.

However, for the CSP to allow webP images, I need to put img-src 'self' data:; in my content security policy header directive like so:

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:;";

The problem with this is that enabling the data: block makes my website vulnerable to XSS attacks, effectively rendering the content security policy pointless. So it seems as though I can either have a super secure but slow website using regular jpegs, or, I can have a super insecure but fast website using server rendered webP images.

My question is, is there a way to specify only webP images to be allowed in the CSP directive img-src 'self' data;";? Ideally, I want to tell nginx that webP images should be approved in the CSP, but any other images outside of my site or the webP format, should be blocked.

Is this possible? If not, it seems like a CSP is rather pointless for at least 50% of servers out there. If so, then could you help me figure this out and let me know how I can implement a directive that defines webP as an allowed format in my CSP?

Thanks for any help!

DanRan
  • 73
  • 1
  • 1
  • 12

0 Answers0