HttpFixerFixCsp → Fix Content Security Policy on Nginx

Fix Content Security Policy on Nginx

CSP belongs in HTTP headers, typically via add_header Content-Security-Policy "..." always; in Nginx. Start from report-only mode if you inherit a large legacy app, then tighten script-src once violations stop.

Inline bootstrap snippets need nonces or hashes—generate them in your template layer, not by permanently allowing unsafe-inline. Frame your API subdomains separately if they ship different asset tiers.

CSPFixer fetches HTML, lists origins, and proposes a policy that covers them.

Related: CSP (glossary) · unsafe-inline · CSP nonce · HttpFixer vs security header checkers
Open CSPFixer →