How to configure Content-Security-Policy for Nginx and Drupal 8?

Question

I have a Nginx server with Ubuntu 18.04 and a Drupal 8 site.

I have read on several articles that should not use 'unsafe-eval', 'unsafe-inline'

I added headers for security but the pages of the site are no longer loaded correctly.

Here is my Nginx configuration and error messages :

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin";
add_header Content-Security-Policy "default-src 'self' https: data:; base-uri 'self';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Feature-Policy "speaker 'none';";

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' https: data:". Either the 'unsafe-inline' keyword, a hash ('sha256-Wtc+ZaqA71uBsN9DYJuo5jJMS66UuS5tCIAZnHYzzak='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Did you change your web site after asking this question? I do not see the problem indicated here. — Michael Hampton, Oct 01 '19 at 03:25
@MichaelHampton Yes I just changed the header `add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' https: data:; base-uri 'self';";` It works but I do not know if it's a good practice. — Mathieu, Oct 01 '19 at 03:50
@MichaelHampton unfortunately no because there is a problem with ckeditor 4 and Drupal 8 — Mathieu, Oct 01 '19 at 04:00

How to configure Content-Security-Policy for Nginx and Drupal 8?

0 Answers0