Set default CSP domains

maor-rozenfeld · maor-rozenfeld · commit 50665f8d2f53 · 2026-03-04T11:27:18.000+01:00
diff --git a/chart/templates/configmap-nginx.yaml b/chart/templates/configmap-nginx.yaml
@@ -32,7 +32,7 @@ data:
         {{- if .Values.nginx.securityHeaders.enabled }}
         add_header X-Content-Type-Options "{{ .Values.nginx.securityHeaders.xContentTypeOptions }}" always;
         add_header X-Frame-Options "{{ .Values.nginx.securityHeaders.xFrameOptions }}" always;
-        add_header Content-Security-Policy "{{ .Values.nginx.securityHeaders.contentSecurityPolicy }}" always;
+        add_header Content-Security-Policy "{{ .Values.nginx.securityHeaders.contentSecurityPolicy }}{{- range .Values.nginx.securityHeaders.extraCspDomains }} {{ . }}{{- end }};" always;
         add_header Permissions-Policy "{{ .Values.nginx.securityHeaders.permissionsPolicy }}" always;
         add_header Referrer-Policy "{{ .Values.nginx.securityHeaders.referrerPolicy }}" always;
         {{- else }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -538,7 +538,10 @@ nginx:
   securityHeaders:
     enabled: true
     xContentTypeOptions: "nosniff"
-    contentSecurityPolicy: "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;"
+    contentSecurityPolicy: "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://login.openops.com https://assets.frontegg.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://app.openops.com https://cdn.jsdelivr.net"
+    # Additional domains to append to the CSP default-src directive
+    extraCspDomains: []
+    # - https://example.com
     permissionsPolicy: "geolocation=(), microphone=(), camera=()"
     referrerPolicy: "strict-origin-when-cross-origin"
   # Rate limiting - ENABLED BY DEFAULT for security
