[GH-ISSUE #1050] Strict CSP (Content Security Policy). #6338

New issue

Closed

opened 2026-03-01 17:11:22 +03:00 by kerem · 2 comments

kerem commented

2026-03-01 17:11:22 +03:00

Owner

Originally created by @uphv on GitHub (May 13, 2025).
Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/1050

Hi,

When enabling strict CSP:

Content-Security-Policy: default-src 'self' img-src 'self' script-src 'self' object-src 'none' https: wss: frame-ancestors 'self'

Nginx-UI breaks.

Nginx-UI is served via Nginx proxy location.

Might also be my mistake. Couldn't find anything in the docs.

Thanks!

Originally created by @uphv on GitHub (May 13, 2025). Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/1050 Hi, When enabling strict CSP: Content-Security-Policy: default-src 'self' img-src 'self' script-src 'self' object-src 'none' https: wss: frame-ancestors 'self' Nginx-UI breaks. Nginx-UI is served via Nginx proxy location. Might also be my mistake. Couldn't find anything in the docs. Thanks!

kerem closed this issue

2026-03-01 17:11:22 +03:00

kerem commented

2026-03-01 17:11:23 +03:00

Author

Owner

@0xJacky commented on GitHub (May 13, 2025):

I don't quite understand what you mean. Could you provide the configuration file, browser screenshot, and nginx-ui log?

@0xJacky commented on GitHub (May 13, 2025): I don't quite understand what you mean. Could you provide the configuration file, browser screenshot, and nginx-ui log?

kerem commented

2026-03-01 17:11:23 +03:00

Author

Owner

@uphv commented on GitHub (May 21, 2025):

I have configured the CSP as such:

Content-Security-Policy: default-src 'none'; connect-src 'self' ws: wss:; img-src 'self' wss: ws: data: blob:; style-src 'self' wss: ws:; font-src 'self' wss: ws:; script-src 'self' *.cdn-apple.com wss: ws:; base-uri 'self'; object-src 'none'; frame-ancestors 'self';

as opposed to the proposed from Nginx-UI:

Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; connect-src 'self' https://www.oldforest.xyz ws: wss:; frame-ancestors 'self';" always;

This breaks the wss:// calls from Nginx-UI frontend to the server with messages like:

WebSocket connection to 'wss:////api/self_check/websocket?token=' failed: The network connection was lost

I am running Nginx-UI proxied behind a location as per configuration instructions. I added the proposed CSP to the proxied location but still getting this message.

I guess I'll have to recheck the CSP manuals.

If there is any idea / suggestion, I'll be happy to hear / test it.

Many thanks

@uphv commented on GitHub (May 21, 2025): I have configured the CSP as such: Content-Security-Policy: default-src 'none'; connect-src 'self' ws: wss:; img-src 'self' wss: ws: data: blob:; style-src 'self' wss: ws:; font-src 'self' wss: ws:; script-src 'self' *.cdn-apple.com wss: ws:; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; as opposed to the proposed from Nginx-UI: Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; connect-src 'self' https://www.oldforest.xyz ws: wss:; frame-ancestors 'self';" always; This breaks the wss:// calls from Nginx-UI frontend to the server with messages like: WebSocket connection to 'wss://<site>/<nginxui>/api/self_check/websocket?token=<token>' failed: The network connection was lost I am running Nginx-UI proxied behind a location as per configuration instructions. I added the proposed CSP to the proxied location but still getting this message. I guess I'll have to recheck the CSP manuals. If there is any idea / suggestion, I'll be happy to hear / test it. Many thanks