Content Security Policy (CSP) header setting for Seafile?

Hi,
I’m trying to make my NGINX server more secure, but this also work on Apache2.

What’s the best settings for the Content Security Policy (CSP) header for Seafile?
I have been “labbing” some now and if you make this wrong the site are not working as attended so I’m wondering if someone have been using this before and have some guidelines?

Please see: https://forum.seafile.com/search?q=csp

I use this on Apache:
Header set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ 'self' 'unsafe-inline' 'unsafe-eval'; img-src blob: https://[domain].[tld] 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline';"

Do you have it like that with the seafile.com address or so you replace it with your own address?

I have it like that in my apache conf, because there are some links from Seafile Website itself within the application (download link for the client, found this link in the html source code http://seafile.com/en/about/) and think i would break things if i did it not like this. I have open another topic where i was asking about a more fine grained CSP, but nobody could help me out till now.

The only variable part in the policy is this pattern: “https://[domain].[tld]”

HTH

Mozillas Observatory https://observatory.mozilla.org/ is not fine with this seetings, but i dont get them better till now.

1 Like

Like in this post, it’s the best CSP i could find, thanks for sharing again: Check security server