Closed tomlawesome closed 4 months ago
bachya
commented
2 years ago While we wait for this, note that you can use a custom response header:
customResponseHeaders:
Content-Security-Policy-Report-Only: >-
connect-src self;
default-src none;
font-src self;
img-src self;
script-src self;
style-src self inline-unsafe; 
rit001
commented
11 months ago I think it is time to give this request a bump
While it should be possible to use a customResponseHeader to express this, it causes issues when trying to express a configuration as 'infrastructure as code'.
It is very easy to switch between "contentSecurityPolicy" and "Content-Security-Policy-Report-Only" using an environment variable also having to switch between a builtin header definition and a customResponseHeader is not so easy, with the result not being as easy to follow when the config is revisited by another person.
As an example, my definition within a docker-compose file currently looks like this
- "traefik.http.middlewares.security-headers.headers.${DOCKER_TRAEFIK_CSP_CMD}${DOCKER_TRAEFIK_CSP_LINE1};${DOCKER_TRAEFIK_CSP_LINEEND}"
With a growing number of 'LINEx' variables being added as the CSP becomes more of an essay than a line entry. To support both header types all I would need to do is change the value of DOCKER_TRAEFIK_CSP_CMD to switch between them. Instead, I have to be creative and include more of the traefik label within the environment variable, which makes things harder to read.
Feature request
Add support for Content-Security-Policy-Report-Only. We can use the standard CSP header with 'contentSecurityPolicy' but it would be nice to be able to instead use it in Report-Only mode. This would help many users to develop their CSP using web-tools before deploying it into their 'production' or (in my case as a home user) homelabs.
What did you expect to see?
contentSecurityPolicyReportOnly in available header middlewares.
Reference
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only