Why is cloudflare modifying my CSP header?

I’ve set my nginx server to return a Content-Security-Policy header but Cloudflare seems to be incorrectly appending it

My server returns this header when I test it from localhost

Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com; img-src 'self' data: repository-images.githubusercontent.com opengraph.githubassets.com;

However my website returns this header from Cloudflare

Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src fonts.gstatic.com; img-src 'self' data: repository-images.githubusercontent.com opengraph.githubassets.com;, default-src 'self' http: https: data: blob: 'unsafe-inline'

I was able to manually override for now with a transform rule that hardcodes my server’s header but this won’t work for dynamic values like nouce or hashes.

I’m not sure what setting is causing Cloudflare to always append , default-src 'self' http: https: data: blob: 'unsafe-inline' to my headers.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.