Fix Content Security Policy on Nginx

Last updated: April 2026

Add a Content-Security-Policy header to your Nginx server block. Start with report-only mode to avoid breaking your site.

Basic CSP — add to server block

server {
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; frame-ancestors 'none'; object-src 'none'" always;
}

With Google Fonts and Analytics

add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; frame-ancestors 'none'; object-src 'none'" always;

Report-only mode — test without blocking

add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'none'; object-src 'none'; report-uri /csp-report" always;

Reload and verify

nginx -t && nginx -s reload
curl -sI https://yoursite.com | grep -i content-security