diff --git a/README.md b/README.md index 7195c1749103b3a12166bdeb3fd1e2c082602fe3..3874c88db54649ff90e23353f147a3b6b29f94c3 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,7 @@ Role Variables | `funkwhale_api_ip` | `127.0.0.1` | IP address with which to bind the Funkwhale server | | `funkwhale_api_port` | `5000` | Port with which to bind the Funkwhale server | | `funkwhale_config_path` | `/srv/funkwhale/config` | Path to Funkwhale's configuration directory | +| `funkwhale_nginx_csp_policy` | `"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"` | Content-Security-Policy header to us. You will need to tweak this if you're serving media files from a separate domain. | | `funkwhale_database_managed` | `true` | If `true`, the role will manage the database server and Funkwhale's database | | `funkwhale_database_name` | `funkwhale` | Name of the Funkwhale database to use | | `funkwhale_database_user` | `funkwhale` | Postgresql username to login as | diff --git a/defaults/main.yml b/defaults/main.yml index 90f6639fa260e5bfc2d423595d11dd69a69fcdb7..74ea9c7dd29b067740a92d522f58dee2639f55b9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,6 +38,7 @@ funkwhale_letsencrypt_certbot_flags: funkwhale_letsencrypt_enabled: true funkwhale_letsencrypt_skip_cert: false +funkwhale_nginx_csp_policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:" funkwhale_redis_managed: true funkwhale_api_ip: 127.0.0.1 funkwhale_api_port: 5000 diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 index 087aede08cb79ac7cdeb407404b1b02344aa8aa0..d7ff7462d9cbd4ccb80f5b0b061d83be79c450d3 100644 --- a/templates/nginx.conf.j2 +++ b/templates/nginx.conf.j2 @@ -30,7 +30,12 @@ server { ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=63072000; preload"; - {% endif %} + {% endif -%} + + {% if funkwhale_nginx_csp_policy -%} + # Security-related headers + add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}"; + {% endif -%} root {{ funkwhale_frontend_path }};