Hello,
I’m currently working on hardening my Nextcloud server and I have a few questions regarding the configuration of “Content Security Policy (CSP)”.
I’ve read that Nextcloud handles CSP internally through PHP, not via the virtual host configuration.
I’ve noticed that some paths include the header:
https://my.domain.com/index.php/login
but others don’t:
https://my.domain.com/index.html
Is it possible to define CSP policies directly in config.php? For example:
'csp.policies' => [
'script-src' => ["'self'", "'unsafe-inline'"],
// ...
],
Or would this conflict with Nextcloud’s internal CSP management?
Because there are also the following references in the code:
find -xdev -type f -name "*.php" -exec grep --with-filename "unsafe-inline" {} \;
./apps/app_api/lib/Controller/TopMenuController.php: $csp->addAllowedScriptDomain('\'unsafe-inline\'');
./apps/suspicious_login/vendor-bin/psalm/vendor/nextcloud/ocp/OCP/AppFramework/Http/ContentSecurityPolicy.php: * This class allows unsafe-inline of CSS.
./apps/suspicious_login/vendor-bin/psalm/vendor/nextcloud/ocp/OCP/AppFramework/Http/EmptyContentSecurityPolicy.php: $policy .= ' \'unsafe-inline\'';
./lib/private/EventSource.php: header("Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'");
./lib/private/legacy/OC_Response.php: . 'style-src \'self\' \'unsafe-inline\'; '
./lib/public/AppFramework/Http/ContentSecurityPolicy.php: * This class allows unsafe-inline of CSS.
./lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php: $policy .= ' \'unsafe-inline\'';
Any advice or best practices would be greatly appreciated!
Thanks in advance!
