From 001f23c5ae4a53b62c3231347467344a34a423f0 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Tue, 11 Jun 2019 17:01:38 +0200
Subject: [PATCH] add content security policy options

---
 defaults/main.yml                         | 6 ++++++
 templates/etc/nginx/conf.d/header.conf.j2 | 8 ++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 17f11ac..11aa06e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -76,6 +76,12 @@ nginx_xfo_enabled: True
 nginx_xfo_policy: deny
 
 nginx_xcto_enabled: True
+nginx_csp_enabled: False
+# nginx_csp_options:
+#   - directive: frame-ancestors
+#     parameters:
+#       - https://example.com
+#       - https://mypage.com
 
 nginx_xxxsp_enabled: True
 nginx_xxxsp_parameters:
diff --git a/templates/etc/nginx/conf.d/header.conf.j2 b/templates/etc/nginx/conf.d/header.conf.j2
index f797548..df7a23e 100644
--- a/templates/etc/nginx/conf.d/header.conf.j2
+++ b/templates/etc/nginx/conf.d/header.conf.j2
@@ -1,9 +1,10 @@
+#jinja2: lstrip_blocks: True
 # {{ ansible_managed }}
 
 # protect against protocol downgrading and cookie hijacking
 # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
-{% if nginx_tls_hsts_enabled %}
-add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
+{% if nginx_tls_hsts_enabled and nginx_hsts_options is defined%}
+add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}";
 {% endif %}
 
 # improve the protection against Clickjacking
@@ -11,6 +12,9 @@ add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ n
 {% if nginx_xfo_enabled %}
 add_header X-Frame-Options {{ nginx_xfo_policy }};
 {% endif %}
+{% if nginx_csp_enabled and nginx_csp_options is defined %}
+add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}";
+{% endif %}
 
 # prevent from interpreting files as something else than declared by the content type in HTTP headers
 # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto