Unverified Commit 3d636301 authored by Agate's avatar Agate 💬

Added CSP configuration

parent 0adc46cb
Pipeline #10455 passed with stage
in 6 minutes
......@@ -120,6 +120,7 @@ Role Variables
| `funkwhale_api_ip` | `127.0.0.1` | IP address with which to bind the Funkwhale server |
| `funkwhale_api_port` | `5000` | Port with which to bind the Funkwhale server |
| `funkwhale_config_path` | `/srv/funkwhale/config` | Path to Funkwhale's configuration directory |
| `funkwhale_nginx_csp_policy` | `"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"` | Content-Security-Policy header to us. You will need to tweak this if you're serving media files from a separate domain. |
| `funkwhale_database_managed` | `true` | If `true`, the role will manage the database server and Funkwhale's database |
| `funkwhale_database_name` | `funkwhale` | Name of the Funkwhale database to use |
| `funkwhale_database_user` | `funkwhale` | Postgresql username to login as |
......
......@@ -38,6 +38,7 @@ funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled: true
funkwhale_letsencrypt_skip_cert: false
funkwhale_nginx_csp_policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
funkwhale_redis_managed: true
funkwhale_api_ip: 127.0.0.1
funkwhale_api_port: 5000
......
......@@ -30,7 +30,12 @@ server {
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; preload";
{% endif %}
{% endif -%}
{% if funkwhale_nginx_csp_policy -%}
# Security-related headers
add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
{% endif -%}
root {{ funkwhale_frontend_path }};
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment