Caddy File Server - Problems with CSP

1. The problem I’m having:

Good day,

I’m new here and hope I can describe my problem well enough.
I recently switched from Apache2 to Caddy because security updates are important to me and this wasn’t always so easy with Apache2.
I run a simple, small web server that is only supposed to provide data for game servers like CS or Minecraft. For this I use Caddy’s integrated file server with the ability to navigate through the data (file_server browse).

This works without any problems so far, but I have problems setting the optimal security settings for the web server.
I’m in the process of restricting the HTTP headers and am stuck with the Content Security Policy (CSP). This is specifically about the entry style-src and script-src.

If I give both entries the value ‘none’, the website appears very restricted (Example 1). The following error messages can be seen in the DevTools browser (Example2):

This makes sense to me too since I don’t trust any sources. Now comes the point where I can’t get any further.
If I enter the value ‘unsafe-inline’ in both entries, the loaded images and the script on the website work again without any problems. However, I don’t think this is the right way because I’m just circumventing the problem and not solving the actual problem.

I tried to troubleshoot the problem based on the error description and, among other things, added a SHA256 hash under script-src. With the combination of style-src '‘unsafe_inline’ the website works a little better again, but certain script functions still don’t work. (For example the search field or swapping between list and GIrd - Example3).

According to the error message in the browser, I should work with the ‘unsafe-hashes’ command so that the content works. I researched it and discovered that errors occur when, for example, onload is used in the HTML file.

I looked at browse.html and found this entry at position 774.

Now I’ve reached a point where I no longer know exactly how to proceed. It could also be that I’m completely wrong and I haven’t configured something correctly. :slight_smile:

My goal is to make my content safely available to the public and to use the given functions safely.

Thank you for reading this far. :slight_smile:

best regards


2. Error messages and/or full log output:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'sha256-8zcg0Opv8dwoY1teqFCiZwXD2LqnIwT+bwKhfGPQKeA='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

3. Caddy version:


4. How I installed and ran Caddy:

I installed Caddy on a Debian 12 via this Guide: Install — Caddy Documentation
Caddy runs as a service in the background and only one domain is used:

a. System environment:

Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
cat /etc/debian_version → 12.4

b. Command:

Caddy run as a Service.

c. Service/unit/compose file:

d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name. {
        # Set this path to your site's directory.
        root * /var/www/html

        # Enable the static file server.
        file_server {
        # Another common task is to set up a reverse proxy:
        # reverse_proxy localhost:8080

        # Or serve a PHP site through php-fpm:
        # php_fastcgi localhost:9000
        header {
                # disable FLoC tracking
                Permissions-Policy "interest-cohort=()"

                # enable HSTS
                Strict-Transport-Security "max-age=31536000;"

                # disable clients from sniffing the media type
                X-Content-Type-Options "nosniff"

                # clickjacking protection
                X-Frame-Options "DENY"

                # restrict information
                Referrer-Policy "no-referrer"

                # disable URL Content
                Content-Security-Policy "default-src 'none'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; img-src 'self'; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'sha256-8zcg0Opv8dwoY1teqFCiZwXD2LqnIwT+bwKhfGPQKeA='; form-action 'self'; worker-src 'none'; frame-src 'none'; require-trusted-types-for 'script';"

                # Remove Server Tag

# Refer to the Caddy docs for more information:

5. Links to relevant resources:

Github - Browse.html

Beitrag zum ‘unsafe-hashes’ Eintrag:

There’s no safety/security issue with the defaults. I’m not sure I understand why you think you need to do anything with CORS here.

You really don’t need any of those header you added to your site.

CORS is about rules for content being loaded on your page which isn’t from your current domain (cross-origin, meaning from other origins, i.e. other domains).

You’re not loading any external content here with a static file server, you’re only loading content from your own server.

Thank you very much for your message and the clarification. :slight_smile: I am reassured. I wish you a nice day. :smiley:

Best Regards