Why is Content-Security-Policy ignored?

sig · May 10, 2022, 1:25pm

Caddy version: `2.5.1`:

How I run Caddy: Using the official (alpine) Docker image.

Hello everyone,
I have just switched from NGINX to Caddy for an internal app and now I’m trying to make things better.
Specifically, I’m trying o set some security headers.
I had no problems with Strict-Transport-Security but, I have no lack with Content-Security-Policy.

I have added the directive to my Caddyfile as below

staging.inforlife.ch {
  reverse_proxy app:3000

  header {
    # enable HSTS
    Strict-Transport-Security max-age=31536000;
    # disable FLoC tracking
    Permissions-Policy interest-cohort=()
    # Enable cross-site filter (XSS)
    # and tell browser to block detected attacks
    X-Frame-Options "Deny"
    Content-Security-Policy "
        default-src 'self';
        style-src 'self';
        script-src 'self';
        font-src 'self';
        img-src 'self';
        form-action 'self';
        connect-src 'self';
        frame-ancestors 'none';
    "
  }
}

But it’s not picked up.

Am I missing anything here?

Thanks,
Sig

francislavoie · May 10, 2022, 1:30pm

Try removing the newlines. It might not be getting parsed correctly with newlines in the header value.

    Content-Security-Policy "default-src 'self'; style-src 'self'; script-src 'self'; font-src 'self'; img-src 'self'; form-action 'self'; connect-src 'self'; frame-ancestors 'none';"

sig · May 10, 2022, 1:36pm

Thanks for your help. The newlines seem to be the cause of this issue.

system · June 9, 2022, 1:25pm

This topic was automatically closed after 30 days. New replies are no longer allowed.

Why is Content-Security-Policy ignored?

Caddy version: 2.5.1:

How I run Caddy: Using the official (alpine) Docker image.

Caddy version: `2.5.1`: