Content-Security-Policy + other headers (v9)


I’m currently testing a bit of CSP and other headers. I don’t know every single thing about it, so I was hoping we can fill in the missing/wrong parts together and maybe one day we’ll find them in the documentation part for Nginx and Apache config or implemented directly in Seafile?!
I’ve seen the other posts, which are helpful, but also a little outdated.

I use nginx and I’m currently working on the location / part:

        add_header X-CSRFToken $cookie_sfcsrftoken;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        add_header Permissions-Policy "accelerometer=(); ambient-light-sensor=(); autoplay=(); battery=(); camera=(); cross-origin-isolated=(); display-capture=(); document-domain=(); encrypted-media=(); execution-while-not-rendered=(); execution-while-out-of-viewport=(); fullscreen=(); geolocation=(); gyroscope=(); keyboard-map=(); magnetometer=(); microphone=(); midi=(); navigation-override=(); payment=(); picture-in-picture=(); publickey-credentials-get=(); screen-wake-lock=(); sync-xhr=(); usb=(); web-share=(); xr-spatial-tracking=(); clipboard-read=(); clipboard-write=(); gamepad=(); speaker-selection=(); conversion-measurement=(); focus-without-user-activation=(); hid=(); idle-detection=(); interest-cohort=(); serial=(); sync-script=(); trust-token-redemption=(); window-placement=(); vertical-scroll=();" always;
        add_header Referrer-Policy no-referrer;
        add_header Content-Security-Policy "default-src 'self'; script-src blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' blob: data:; style-src 'self' 'unsafe-inline'; require-trusted-types-for 'script'; object-src 'none'; font-src 'self'; base-uri 'none'; frame-ancestors 'none'; form-action 'self'; block-all-mixed-content;" always;

This works so far but I haven’t tried videos yet.

You can test your site there:

Change the domain in the link to your own or paste your domain in the box

1 Like

is deprecated. See Cross Site Scripting Prevention - OWASP Cheat Sheet Series

1 Like


Should we leave it like this:

#       add_header X-XSS-Protection "1; mode=block"; # Use it if you mainly use older browsers.
        add_header X-XSS-Protection "0"; and still recommend it for older browsers.