Well this is particularly I noticed for https vhost config. The CSP headers are properly being displayed for http but not https.
Here is my config more /etc/nginx/conf.d/sec-headers.conf add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;" always; server { include /etc/nginx/apploxconf.d/applox-bots-declare.conf; include /etc/nginx/conf.d/sec-headers.conf; listen 80; . .. . And here is https server { include /etc/nginx/apploxconf.d/applox-bots-declare.conf; include /etc/nginx/conf.d/sec-headers.conf; listen 443 ssl http2; However https properly gets reflected but not with https. curl -I http://www.xxxx.xxx HTTP/1.1 301 Moved Permanently Date: Wed, 30 Nov 2022 03:20:23 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://www.xxxx.xxxx Server: applox-waf Content-Security-Policy: default-src 'self'; font-src *;img-src * data:; script-src *; style-src *; HTTP/1.1 200 OK Date: Wed, 30 Nov 2022 03:33:47 GMT Content-Type: text/html Content-Length: 37579 Connection: keep-alive Cache-Control: private Set-Cookie: ASPSESSIONIDSGSTSTQQ=KOMPLPOCKOFKKCOELBNALAKE; secure; path=/ Server: applox-waf Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade X-Frame-Options: SAMEORIGIN Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295928,295929#msg-295929 _______________________________________________ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org