You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add support for Content-Security-Policy-Report-Only. We can use the standard CSP header with 'contentSecurityPolicy' but it would be nice to be able to instead use it in Report-Only mode. This would help many users to develop their CSP using web-tools before deploying it into their 'production' or (in my case as a home user) homelabs.
What did you expect to see?
contentSecurityPolicyReportOnly in available header middlewares.
While it should be possible to use a customResponseHeader to express this, it causes issues when trying to express a configuration as 'infrastructure as code'.
It is very easy to switch between "contentSecurityPolicy" and "Content-Security-Policy-Report-Only" using an environment variable also having to switch between a builtin header definition and a customResponseHeader is not so easy, with the result not being as easy to follow when the config is revisited by another person.
As an example, my definition within a docker-compose file currently looks like this
With a growing number of 'LINEx' variables being added as the CSP becomes more of an essay than a line entry. To support both header types all I would need to do is change the value of DOCKER_TRAEFIK_CSP_CMD to switch between them. Instead, I have to be creative and include more of the traefik label within the environment variable, which makes things harder to read.
Feature request
Add support for Content-Security-Policy-Report-Only. We can use the standard CSP header with 'contentSecurityPolicy' but it would be nice to be able to instead use it in Report-Only mode. This would help many users to develop their CSP using web-tools before deploying it into their 'production' or (in my case as a home user) homelabs.
What did you expect to see?
contentSecurityPolicyReportOnly in available header middlewares.
Reference
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
The text was updated successfully, but these errors were encountered: