> I believe this is all documented in the page I mentioned, above, which
includes the proxiesHeaders you mention, there.
You're right I didn't realize proxiesHeader defaults to "x-forwarded-by" in
tomcat's server.xml, so my problem was with the static ip address being
required. I'll just need to
After further testing and messing about I think I have worked out a policy
that does not break anything but will need more testing:
add_header Content-Security-Policy "default-src 'none'; script-src 'self'
'unsafe-inline' 'unsafe-eval'; connect-src 'self'; object-src 'self';
frame-src 'self';
On Wed, May 8, 2019 at 10:44 AM Michael Barkdoll
wrote:
> Alright, first sorry for all the noise on this thread. I believe I have
> uncovered a bug and I'm going to proceed with opening a bug report.
>
No worries at all - that's what the mailing list is for!
>
> Concerning the reverse proxy,