starred/nginx-ui
1
0
Fork 0
mirror of https://github.com/0xJacky/nginx-ui.git synced 2026-04-25 08:45:58 +03:00
Code Issues 618 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1050] Strict CSP (Content Security Policy). #564

New issue
Closed
opened 2026-02-26 12:08:45 +03:00 by kerem · 2 comments
kerem commented 2026-02-26 12:08:45 +03:00
Owner
Copy link

Originally created by @uphv on GitHub (May 13, 2025).
Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/1050

Hi,

When enabling strict CSP:

Content-Security-Policy: default-src 'self' img-src 'self' script-src 'self' object-src 'none' https: wss: frame-ancestors 'self'

Nginx-UI breaks.

Nginx-UI is served via Nginx proxy location.

Might also be my mistake. Couldn't find anything in the docs.

Thanks!

Originally created by @uphv on GitHub (May 13, 2025). Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/1050 Hi, When enabling strict CSP: Content-Security-Policy: default-src 'self' img-src 'self' script-src 'self' object-src 'none' https: wss: frame-ancestors 'self' Nginx-UI breaks. Nginx-UI is served via Nginx proxy location. Might also be my mistake. Couldn't find anything in the docs. Thanks!
kerem closed this issue 2026-02-26 12:08:45 +03:00
kerem commented 2026-02-26 12:08:45 +03:00
Author
Owner
Copy link

@0xJacky commented on GitHub (May 13, 2025):

I don't quite understand what you mean. Could you provide the configuration file, browser screenshot, and nginx-ui log?

<!-- gh-comment-id:2876785676 --> @0xJacky commented on GitHub (May 13, 2025): I don't quite understand what you mean. Could you provide the configuration file, browser screenshot, and nginx-ui log?
kerem commented 2026-02-26 12:08:45 +03:00
Author
Owner
Copy link

@uphv commented on GitHub (May 21, 2025):

I have configured the CSP as such:

Content-Security-Policy: default-src 'none'; connect-src 'self' ws: wss:; img-src 'self' wss: ws: data: blob:; style-src 'self' wss: ws:; font-src 'self' wss: ws:; script-src 'self' *.cdn-apple.com wss: ws:; base-uri 'self'; object-src 'none'; frame-ancestors 'self';

as opposed to the proposed from Nginx-UI:

Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; connect-src 'self' https://www.oldforest.xyz ws: wss:; frame-ancestors 'self';" always;

This breaks the wss:// calls from Nginx-UI frontend to the server with messages like:

WebSocket connection to 'wss:////api/self_check/websocket?token=' failed: The network connection was lost

I am running Nginx-UI proxied behind a location as per configuration instructions. I added the proposed CSP to the proxied location but still getting this message.

I guess I'll have to recheck the CSP manuals.

If there is any idea / suggestion, I'll be happy to hear / test it.

Many thanks

<!-- gh-comment-id:2897594148 --> @uphv commented on GitHub (May 21, 2025): I have configured the CSP as such: Content-Security-Policy: default-src 'none'; connect-src 'self' ws: wss:; img-src 'self' wss: ws: data: blob:; style-src 'self' wss: ws:; font-src 'self' wss: ws:; script-src 'self' *.cdn-apple.com wss: ws:; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; as opposed to the proposed from Nginx-UI: Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; connect-src 'self' https://www.oldforest.xyz ws: wss:; frame-ancestors 'self';" always; This breaks the wss:// calls from Nginx-UI frontend to the server with messages like: WebSocket connection to 'wss://<site>/<nginxui>/api/self_check/websocket?token=<token>' failed: The network connection was lost I am running Nginx-UI proxied behind a location as per configuration instructions. I added the proposed CSP to the proxied location but still getting this message. I guess I'll have to recheck the CSP manuals. If there is any idea / suggestion, I'll be happy to hear / test it. Many thanks
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
weblate
main
renovate/uuid-14.x
renovate/typescript-6.x
renovate/all-minor-patch
cursor/interface-conversion-error-36ec
cursor/docker-api-stat-path-27ca
cursor/nginx-ui-disk-i-o-3d99
cursor/cloudflare-dns-comments-299c
cursor/access-log-dark-mode-font-dfdc
copilot/fix-ai-chat-title-error
cursor/propfind-method-logging-33b5
cursor/docker-client-version-update-d1b4
copilot/fix-nginx-ui-api-errors
cursor/update-x-forwarded-proto-header-handling-1223
cursor/fix-nginx-ui-issue-1455-gpt-5.1-codex-high-079c
cursor/update-nginx-ui-to-vue-3-gpt-5.1-codex-high-3100
cursor/investigate-nginx-ui-issue-1446-gpt-5.1-codex-high-2be0
v1
v2.3.8
v2.3.7
v2.3.6
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.1
v2.2.0-patch.1
v2.2.0
v2.1.17
v2.1.16
v2.1.15
v2.1.14
v2.1.13
v2.1.12
v2.1.11
v2.1.10
v2.1.9
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.4-patch.1
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0-patch.1
v2.1.0
v2.1.0-rc.3
v2.1.0-rc.2
v2.1.0-rc.1
v2.1.0-beta.1
v2.0.2
v2.0.1
v2.0.0
v2.0.0-rc.8-patch.1
v2.0.0-rc.8
v2.0.0-rc.7-patch.6
v2.0.0-rc.7-patch.7
v2.0.0-rc.7-patch.8
v2.0.0-rc.7-patch.5
v2.0.0-rc.7-patch.4
v2.0.0-rc.7-patch.3
v2.0.0-rc.7-patch.2
v2.0.0-rc.7-patch.1
v2.0.0-rc.7
v2.0.0-rc.6-patch.5
v2.0.0-rc.6-patch.4
v2.0.0-rc.6-patch.3
v2.0.0-rc.6-patch.2
v2.0.0-rc.6-patch.1
v2.0.0-rc.6
v2.0.0-rc.5
v2.0.0-rc.4-patch.3
v2.0.0-rc.4-patch.2
v2.0.0-rc.4-patch.1
v2.0.0-rc.4
v2.0.0-rc.3-patch.1
v2.0.0-rc.3
v2.0.0-rc.2
v2.0.0-rc.1-patch.2
v2.0.0-rc.1-patch.1
v2.0.0-rc.1
v2.0.0-beta.42
v2.0.0-beta.41
v2.0.0-beta.40
v2.0.0-beta.39-risefront.6
v2.0.0-beta.39-risefront.5
v2.0.0-beta.39-risefront.4
v2.0.0-beta.39-risefront.3
v2.0.0-beta.39-risefront.2
v2.0.0-beta.39-risefront
v2.0.0-beta.39
v2.0.0-beta.38
v2.0.0-beta.37-patch.5
v2.0.0-beta.37-patch.3
v2.0.0-beta.37-patch.4
v2.0.0-beta.37-patch.2
v2.0.0-beta.37-patch.1
v2.0.0-beta.37
v2.0.0-beta.36
v2.0.0-beta.35
v2.0.0-beta.34
v2.0.0-beta.33
v2.0.0-beta.32-patch.1
v2.0.0-beta.32
v2.0.0-beta.31
v2.0.0-beta.30
v2.0.0-beta.29
v2.0.0-beta.28
v2.0.0-beta.27
v2.0.0-beta.26
v2.0.0-beta.25-patch.2
v2.0.0-beta.25-patch.1
v2.0.0-beta.25
v2.0.0-beta.24
v2.0.0-beta.23-patch.2
v2.0.0-beta.23-patch.1
v2.0.0-beta.23
v2.0.0-beta.22
v2.0.0-beta.21
v2.0.0-beta.20
v2.0.0-beta.19
v2.0.0-beta.18-patch.2
v2.0.0-beta.18-patch.1
v2.0.0-beta.18
v2.0.0-beta.17
v2.0.0-beta.16
v2.0.0-beta.15
v2.0.0-beta.14
v2.0.0-beta.13-patch
v2.0.0-beta.13
v2.0.0-beta.12
v2.0.0-beta.11
v2.0.0-beta.10-patch
v2.0.0-beta.10
v2.0.0-beta.9
v2.0.0-beta.8-patch
v2.0.0-beta.8
v2.0.0-beta.7
v2.0.0-beta.6-patch.2
v2.0.0-beta.6-patch
v2.0.0-beta.6
v2.0.0-beta.5-patch
v2.0.0-beta.5
v2.0.0-beta.4-patch
v2.0.0-beta.4
v2.0.0-beta.3
v2.0.0-beta.2
v2.0.0-beta.1
v1.9.9-4
v1.9.9-3
v1.9.9-2
v1.9.9
v1.9.9-1
v1.8.4-patch
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.9
v1.7.8
v1.7.7
v1.7.6
v1.7.5
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0-patch
v1.7.0
v1.6.8
v1.6.7
v1.6.6
v1.6.5
v1.6.3
v1.6.2
v1.6.1
v1.6.0-fix
v1.6.0
v1.5.2
v1.5.1
v1.5.0
v1.5.0-beta9
v1.5.0-beta8
v1.5.0-beta7
v1.5.0-beta6
v1.5.0-beta5
v1.5.0-beta4-fix
v1.5.0-beta4
v1.5.0-beta3
v1.5.0-beta2
v1.5.0-beta1
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc1
v1.3.3-rc1
v1.3.2
v1.3.1-fix
v1.3.1
v1.3.0
v1.3.0-rc1
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc.3
v1.2.0-rc.2
v1.2.0-rc.1
v1.2.0-alpha.4
v1.2.0-alpha.3
v1.2.0-alpha.2
v1.1.0
Labels
Clear labels   
Q/A

   
bug

   
casdoor

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
help wanted

   
invalid

   
lego

   
platform:openwrt

   
platform:windows

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
wontfix
No labels
Q/A
bug
casdoor
dependencies
docker
documentation
duplicate
enhancement
help wanted
invalid
lego
platform:openwrt
platform:windows
pull-request
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-ui#564
No description provided.