From b98af5e96d9e87870190722eeca34a807abfc15c Mon Sep 17 00:00:00 2001 From: Fred Wenzel Date: Fri, 21 Apr 2017 21:57:48 -0700 Subject: [PATCH 1/4] Add default CSP Add a default CSP that allows anything from the local domain, plus inline styles, data: URIs, and no framing. --- Running-Mastodon/Production-guide.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Running-Mastodon/Production-guide.md b/Running-Mastodon/Production-guide.md index 53868da2..54aa5bae 100644 --- a/Running-Mastodon/Production-guide.md +++ b/Running-Mastodon/Production-guide.md @@ -12,7 +12,9 @@ The following HTTP headers are already set internally and should not be set agai ## Nginx -Regardless of whether you go with the Docker approach or not, here is an example Nginx server configuration: +Regardless of whether you go with the Docker approach or not, here is an example Nginx server configuration. + +At a minimum, you'll want to replace any occurrence of `example.com` with your actual hostname, and `/home/mastodon/live/public` with the location of your actual mastodon `public/` directory. ```nginx map $http_upgrade $connection_upgrade { @@ -58,6 +60,8 @@ server { gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; add_header Strict-Transport-Security "max-age=31536000"; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data:; media-src 'self' data:; connect-src 'self' wss://example.com; font-src 'self'; frame-ancestors 'none'; manifest-src 'self';"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; location / { try_files $uri @proxy; From 5bd6d4de270bd5ebc30ce1c15b7382f9dd00f688 Mon Sep 17 00:00:00 2001 From: Nolan Lawson Date: Wed, 3 May 2017 22:39:33 -0700 Subject: [PATCH 2/4] update image-src/media-src to be more lax --- Running-Mastodon/Production-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Running-Mastodon/Production-guide.md b/Running-Mastodon/Production-guide.md index 54aa5bae..8d39728d 100644 --- a/Running-Mastodon/Production-guide.md +++ b/Running-Mastodon/Production-guide.md @@ -60,7 +60,7 @@ server { gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; add_header Strict-Transport-Security "max-age=31536000"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data:; media-src 'self' data:; connect-src 'self' wss://example.com; font-src 'self'; frame-ancestors 'none'; manifest-src 'self';"; + add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; object-src 'self'; img-src data: https:; media-src data: https:; connect-src 'self' wss://example.com; upgrade-insecure-requests"; add_header Referrer-Policy "strict-origin-when-cross-origin"; location / { From 444beff4047c70a3f08c17d0ebfca7185323fb09 Mon Sep 17 00:00:00 2001 From: Nolan Lawson Date: Sun, 7 May 2017 19:34:52 -0700 Subject: [PATCH 3/4] remove unsafe-inline from script-src --- Running-Mastodon/Production-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Running-Mastodon/Production-guide.md b/Running-Mastodon/Production-guide.md index 8d39728d..4601551d 100644 --- a/Running-Mastodon/Production-guide.md +++ b/Running-Mastodon/Production-guide.md @@ -60,7 +60,7 @@ server { gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; add_header Strict-Transport-Security "max-age=31536000"; - add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; object-src 'self'; img-src data: https:; media-src data: https:; connect-src 'self' wss://example.com; upgrade-insecure-requests"; + add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'; script-src 'self'; object-src 'self'; img-src data: https:; media-src data: https:; connect-src 'self' wss://example.com; upgrade-insecure-requests"; add_header Referrer-Policy "strict-origin-when-cross-origin"; location / { From 8a57435b8880e1f1c2b674b99644c60477377342 Mon Sep 17 00:00:00 2001 From: Nolan Lawson Date: Sun, 7 May 2017 19:42:46 -0700 Subject: [PATCH 4/4] remove referrer-policy: strict-origin-when-cross-origin --- Running-Mastodon/Production-guide.md | 1 - 1 file changed, 1 deletion(-) diff --git a/Running-Mastodon/Production-guide.md b/Running-Mastodon/Production-guide.md index 4601551d..de2e74d8 100644 --- a/Running-Mastodon/Production-guide.md +++ b/Running-Mastodon/Production-guide.md @@ -61,7 +61,6 @@ server { add_header Strict-Transport-Security "max-age=31536000"; add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'; script-src 'self'; object-src 'self'; img-src data: https:; media-src data: https:; connect-src 'self' wss://example.com; upgrade-insecure-requests"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; location / { try_files $uri @proxy;