Reputation: 1
how to add content security policy (CSP) to nginxinc ingress controller or ingress rule
How to add content security policy (CSP) to nginxinc ingress controller or ingress rule.
I tried both of the below annotation to ingress rule but neither worked.
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Content-Security-Policy-Report-Only: Content-Security-Policy: script-src 'self' 'none' ;";
add_header Content-Security-Policy: default-src 'self' 'none' ;
Upvotes: 0
Views: 2297
Answers (4)
Reputation: 31
If you are using helm chart of community version of nginx from this link ingress-nginx then you need to use configuration-snippet in ingress resource.
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Content-Security-Policy-Report-Only: policy";
as well as you need to add/modify below configurations in chart's values.yaml to make it working properly.
controller:
allowSnippetAnnotations: true
config:
annotations-risk-level: Critical
Note: Use those on your risk, there are serious security issues when you use configuration-snippet.
Upvotes: 1
Reputation: 71
NGINX Ingress Controller's annotations start with nginx.org and nginx.com. The snippet annotation prefix you are using is belonging to the community ingress controller, however you mentioned you are using the one by NGINX Inc, i.e NGINX Ingress Controller.
To add your snippet to the server block level of an ingress you can use this annotation.
nginx.org/server-snippets: |
more_set_headers "Content-Security-Policy-Report-Only: Content-Security-Policy: script-src 'self' 'none' ;";
add_header Content-Security-Policy: default-src 'self' 'none' ;
You can see the docs on snippets here
You may have to enable snippets if they are not enabled yet, either with the command line argument -enable-snippets or with the helm value controller.enableSnippets: true
Upvotes: 0
Reputation: 41
The solution from fandasson works, but the 'configuration-snippet' annotation is disabled by default since Ingress-NGINX version 1.9.0.
If you're using the nginx-ingress Helm chart, this means setting:
controller:
allowSnippetAnnotations: true
Enabling it has security implications for multi-tenant clusters, see:
Upvotes: 0
Reputation: 2403
This works:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Content-Security-Policy-Report-Only: your-policy";
Remember to modify your-policy to something real ;-)
Upvotes: 1
Related Questions
- Disable HSTS for nginx-ingress using ConfigMap
- How to add content-security-policy to nginx ingress controller in eks
- Kubernetes Ingress Whitelist IP for path
- How to configure nginx ingress in kubernetes for HTTPS backends with custom CA?
- How to setup nginx ingress controller , such that the kubernetes pod remains http but the nginx serves request on https
- Kubernetes ingress rules for external service
- kubernetes https ingress rule
- How to change configuration parameters of ingress controller in kubernetes
- Nginx ingress controller modsecurity
- How to config Kubernetes Ingress Nginx anontations whitelist only apply to http