I’m am trying to balance my home server web server security and have Next Cloud function properley. CSP is causing issues in the apache.conf folder.
If I set
Header set Content-Security-Policy: “default-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ https://my-domain.com;”
Nextcloud works perfectly. However, all my security scans give me warnings due to the eval and inline security flaws. To fix this I can remove these from my CSP config and Nextcloud then stops working.
My questions are:
- Is there a set CSP policy I can have to use Nextcloud and not have the risk of inline/eval?
- Nextcloud is the only service on the server. Do I need CSP at all in my apache.conf as I dont host any other html?
Ive looked alot on google and there is much on setting CSP and Nextcloud and not together for the semi noob