[GH-ISSUE #336] [FEATURE] Clarify about "Content-Security-Policy" #228

New issue

Closed

opened 2026-02-25 20:35:12 +03:00 by kerem · 2 comments

kerem commented

2026-02-25 20:35:12 +03:00

Owner

Originally created by @Myzel394 on GitHub (Jun 1, 2021).
Original GitHub issue: https://github.com/benbusby/whoogle-search/issues/336

Describe the feature you'd like to see added
Clarify about the usage of Content-Security-Policy. If you add style-src * to it, Whoogle won't work (currently).

Additional context
I setup my own instance, hardened it using some security headers, one of them was Content-Security-Policy. Turned out, I can't use it with Whoogle. I think it would be good to add this to the installation part, to avoid people spending hours finding out why there are no inline styles available ^O^

Originally created by @Myzel394 on GitHub (Jun 1, 2021). Original GitHub issue: https://github.com/benbusby/whoogle-search/issues/336  **Describe the feature you'd like to see added** Clarify about the usage of `Content-Security-Policy`. If you add `style-src *` to it, Whoogle won't work (currently). **Additional context** I setup my own instance, hardened it using some security headers, one of them was `Content-Security-Policy`. Turned out, I can't use it with Whoogle. I think it would be good to add this to the installation part, to avoid people spending hours finding out why there are no inline styles available ^O^

kerem

2026-02-25 20:35:12 +03:00

closed this issue
added the
enhancement
label

kerem commented

2026-02-25 20:35:13 +03:00

Author

Owner

@benbusby commented on GitHub (Jun 1, 2021):

Sure. Just out of curiosity, which method were you using for deployment/installation? I assume these were headers applied by a reverse proxy?

Whoogle handles the CSP itself, so there shouldn't be any need to modify it externally, but I agree that it should be documented somewhere.

@benbusby commented on GitHub (Jun 1, 2021): Sure. Just out of curiosity, which method were you using for deployment/installation? I assume these were headers applied by a reverse proxy? Whoogle handles the CSP itself, so there shouldn't be any need to modify it externally, but I agree that it should be documented somewhere.

kerem commented

2026-02-25 20:35:13 +03:00

Author

Owner

@Myzel394 commented on GitHub (Jun 1, 2021):

I used nginx.

Here's an example config:

server {
    server_name whoogle.com;

    location /.well-known { }

    location / {
        proxy_pass http://127.0.0.1:5000;
    }

    # Gzip compression
    gzip on;

    # Browser security
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";   # <-- Bad guy
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy "strict-origin";

}

Just removed it, worked after that :D.

@Myzel394 commented on GitHub (Jun 1, 2021): I used nginx. Here's an example config: ``` server { server_name whoogle.com; location /.well-known { } location / { proxy_pass http://127.0.0.1:5000; } # Gzip compression gzip on; # Browser security add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; # <-- Bad guy add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy "strict-origin"; ``` } Just removed it, worked after that :D.