So I have a website behind nginx and I wonder where the headers are coming from, for example I have this content security policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests and haven’t specified it on my nginx and also not on my web server.
Any ideas?
If Cloudflare adds headers, is there a way to deactivate it?
By default, no.
Your web app might add them → NodeJS or some similar maybe? 
You can try to remove them using Transform Rules at Cloudflare, if interested.
Is this a Report-Only policy? Cloudflare Page Shield adds a Report-Only CSP policy when it is enabled.
Yes its node
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.