Redirecting HTTP Requests on an HTTPS Listener in Nginx (Status Code 497)

Nginx has a bunch of custom https status codes that it uses internally to signal issues. One such status code is 497: the client made an http request on an https listener. These custom status codes can be used in combination with an error_page directive which can be used to redirect. This will send a… Continue reading Redirecting HTTP Requests on an HTTPS Listener in Nginx (Status Code 497)

Working with Multiple Content-Security-Policy Headers

Working with Multiple CSP Headers

Today I've been fighting with Content Security Policy (CSP). Servers may send multiple CSP headers, but there is a catch: Adding additional policies can only further restrict the capabilities of the protected resource I had wrongly assumed that I could pretty up my nginx configuration by splitting up the various *-src directives into separate add_header… Continue reading Working with Multiple Content-Security-Policy Headers