Content Security Policy Config


I’m am trying to balance my home server web server security and have Next Cloud function properley. CSP is causing issues in the apache.conf folder.

If I set
Header set Content-Security-Policy: “default-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’;”

Nextcloud works perfectly. However, all my security scans give me warnings due to the eval and inline security flaws. To fix this I can remove these from my CSP config and Nextcloud then stops working.

My questions are:

  1. Is there a set CSP policy I can have to use Nextcloud and not have the risk of inline/eval?
  2. Nextcloud is the only service on the server. Do I need CSP at all in my apache.conf as I dont host any other html?

Ive looked alot on google and there is much on setting CSP and Nextcloud and not together for the semi noob


1 Like


Nextcloud server and apps require the unsafe-eval entry in the CSP header for now. Devs are already aware of that and trying to remove it:

Because it is not easy to do and requires a lot changes in the code, it takes some time. However it is in the Backlog of the “Security Hardenings” (first column on the left side):

This CSP header entry should not be a serious issue though since @LukasReschke made some changes:

This seems rather hard to accomplish due to our existing JS code base. As a first step I’ve added a hardening to jQuery that makes the unsafe-eval in jQuery a non-issue at least: #3874


As soon as the code base has been adapted the CSP header will be removed by Nextcloud with a feature update. So there is nothing to do for you. Just wait until it’s “enhanced” (not to say fixed) :slight_smile:

But I’m with you; I’m also hoping it is done soon :slight_smile:

FYI this is done for Nextcloud 15. It’ll require some changes in apps, of course…

1 Like

Is it possible to remove ‘unsafe-inline’ now? I’m on Nextcloud 17 and that policy is still being set.

nextcloud # find -xdev -type f -name "*.php" -exec grep --with-filename "unsafe-inline" {} \;


 * This class allows unsafe-eval of javascript and unsafe-inline of CSS.

$policy .= ' \'unsafe-inline\'';