Redirect in app all of a sudden now gives 502

[jd5am]

I have secure-headers running on my app for a year now. But recently we started to get a 502 on nginx when the page is being redirected to Docusign (we have integrated docusign for more than a year). We have whitelisted all the docusign URL's in CSP script-src but still we get the 502.

When we disable CSP, then the redirect works (i.e. we do not get a 502).

Any ideas why this is happening all of a sudden?

[bepsvpt]

Could you provide the CSP config?

When we disable CSP, then the redirect works (i.e. we do not get a 502).

Does this mean disabling the CSP or just the script-src directive?

[jd5am]

Does this mean disabling the CSP or just the script-src directive?

> both.

Attached is the file. Thanks `<?php return [ /* * Server * * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server * * Note: when server is empty string, it will not add to response header */ 'server' => 'nginx', /* * X-Content-Type-Options * * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options * * Available Value: 'nosniff' */ 'x-content-type-options' => 'nosniff', /* * X-Download-Options * * Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx * * Available Value: 'noopen' */ 'x-download-options' => 'noopen', /* * X-Frame-Options * * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options * * Available Value: 'deny', 'sameorigin', 'allow-from <uri>' */ 'x-frame-options' => 'sameorigin', /* * X-Permitted-Cross-Domain-Policies * * Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html * * Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename' */ 'x-permitted-cross-domain-policies' => 'none', /* * X-Powered-By * * Note: it will not add to response header if the value is empty string. * * Also, verify that expose_php is turned Off in php.ini. * Otherwise the header will still be included in the response. * * Reference: #58 (comment) */ 'x-powered-by' => '', /* * X-XSS-Protection * * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection * * Available Value: '1', '0', '1; mode=block' */ 'x-xss-protection' => '1; mode=block', /* * Referrer-Policy * * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy * * Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', * 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url' */ 'referrer-policy' => 'no-referrer', /* * Clear-Site-Data * * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data */ 'clear-site-data' => [ 'enable' => false, 'all' => false, 'cache' => true, 'cookies' => true, 'storage' => true, 'executionContexts' => true, ], /* * HTTP Strict Transport Security * * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security * * Please ensure your website had set up ssl/tls before enable hsts. */ 'hsts' => [ 'enable' => true, 'max-age' => 31536000, 'include-sub-domains' => true, 'preload' => true, ], /* * Expect-CT * * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT */ 'expect-ct' => [ 'enable' => false, 'max-age' => 2147483648, 'enforce' => false, // report uri must be absolute-URI 'report-uri' => null, ], /* * Permissions Policy * * Reference: https://w3c.github.io/webappsec-permissions-policy/ */ 'permissions-policy' => [ 'enable' => true, // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/accelerometer 'accelerometer' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/ambient-light-sensor 'ambient-light-sensor' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/autoplay 'autoplay' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/battery 'battery' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/camera 'camera' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://www.chromestatus.com/feature/5690888397258752 'cross-origin-isolated' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/display-capture 'display-capture' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/document-domain 'document-domain' => [ 'none' => false, '*' => true, 'self' => false, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/encrypted-media 'encrypted-media' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://wicg.github.io/page-lifecycle/#execution-while-not-rendered 'execution-while-not-rendered' => [ 'none' => false, '*' => true, 'self' => false, 'origins' => [], ], // https://wicg.github.io/page-lifecycle/#execution-while-out-of-viewport 'execution-while-out-of-viewport' => [ 'none' => false, '*' => true, 'self' => false, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/fullscreen 'fullscreen' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/geolocation 'geolocation' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/gyroscope 'gyroscope' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/magnetometer 'magnetometer' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/microphone 'microphone' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/midi 'midi' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://drafts.csswg.org/css-nav-1/ 'navigation-override' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/payment 'payment' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/picture-in-picture 'picture-in-picture' => [ 'none' => false, '*' => true, 'self' => false, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials-get 'publickey-credentials-get' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/screen-wake-lock 'screen-wake-lock' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/sync-xhr 'sync-xhr' => [ 'none' => false, '*' => true, 'self' => false, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/usb 'usb' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/web-share 'web-share' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking 'xr-spatial-tracking' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], ], /* * Content Security Policy * * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP */ 'csp' => [ 'enable' => true, // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only 'report-only' => false, // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to 'report-to' => '', // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri 'report-uri' => [ // uri ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content 'block-all-mixed-content' => false, // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests 'upgrade-insecure-requests' => false, // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri 'base-uri' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src 'child-src' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src 'connect-src' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src 'default-src' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src 'font-src' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action 'form-action' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors 'frame-ancestors' => [ 'none' => true, ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src 'frame-src' => [ 'allow' => [ 'vars.hotjar.com', 'www.youtube.com', 'player.vimeo.com', 'www.google.com', 'cdn.embedly.com', 'vimeo.com/', 'hubspot.com', 'app-eu1.hubspot.com', 'a.clarity.ms/collect', 'cdn-cookieyes.com', 'snap.licdn.com', 'api.mixpanel.com', 'px.ads.linkedin.com', ], 'schemes' => [ 'data:', 'https:', ], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src 'img-src' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src 'manifest-src' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src 'media-src' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to 'navigate-to' => [ 'unsafe-allow-redirects' => false, ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src 'object-src' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types 'plugin-types' => [ // 'application/pdf', ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src 'prefetch-src' => [ // ], // https://w3c.github.io/webappsec-trusted-types/dist/spec/#integration-with-content-security-policy 'require-trusted-types-for' => [ 'script' => false, ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox 'sandbox' => [ 'enable' => false, 'allow-downloads-without-user-activation' => false, 'allow-forms' => false, 'allow-modals' => false, 'allow-orientation-lock' => false, 'allow-pointer-lock' => false, 'allow-popups' => false, 'allow-popups-to-escape-sandbox' => false, 'allow-presentation' => false, 'allow-same-origin' => false, 'allow-scripts' => false, 'allow-storage-access-by-user-activation' => false, 'allow-top-navigation' => false, 'allow-top-navigation-by-user-activation' => false, ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src 'script-src' => [ 'none' => false, 'self' => true, 'report-sample' => false, 'allow' => [ 'code.jquery.com', 'ajax.googleapis.com', 'googletagmanager.com', 'google-analytics.com', 's3.eu-west-2.amazonaws.com', 'cdnjs.cloudflare.com', 'unpkg.com', 'cdn.jsdelivr.net', 'www.google.com', 'maps.googleapis.com', 'checkout.stripe.com', 'h.clarity.ms', 'static.hotjar.com', 'gstatic.com', 'cdn.embedly.com', 'cdn.embed.ly', 'js-eu1.hs-scripts.com', 'cdn-cookieyes.com', 'api.mixpanel.com', ], 'schemes' => [ 'data:', 'https:', ], /* followings are only work for `script` and `style` related directives */ 'unsafe-inline' => true, 'unsafe-eval' => false, // https://www.w3.org/TR/CSP3/#unsafe-hashes-usage 'unsafe-hashes' => false, // Enable `strict-dynamic` will *ignore* `self`, `unsafe-inline`, // `allow` and `schemes`. You can find more information from: // https://www.w3.org/TR/CSP3/#strict-dynamic-usage 'strict-dynamic' => false, 'hashes' => [ 'sha256' => [ ], 'sha384' => [ // 'sha384-hash-value-with-base64-encode', ], 'sha512' => [ // 'sha512-hash-value-with-base64-encode', ], ], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr 'script-src-attr' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem 'script-src-elem' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src 'style-src' => [ 'self' => true, 'allow' => [ 's3.eu-west-2.amazonaws.com', 'maxcdn.bootstrapcdn.com', 'cdn.jsdelivr.net', 'gitcdn.github.io', 'fonts.googleapis.com', 'code.ionicframework.com', 'cdn.ckeditor.com', 'www.gstatic.com', 'gstatic.com', 'cdn.embedly.com', 'api.mixpanel.com', 'cdn-cookieyes.com', 'snap.licdn.com', 'px.ads.linkedin.com', ], 'schemes' => [ 'data:', 'https:', ], 'unsafe-inline' => true, 'unsafe-eval' => false, // https://www.w3.org/TR/CSP3/#unsafe-hashes-usage 'unsafe-hashes' => false, // Enable `strict-dynamic` will *ignore* `self`, `unsafe-inline`, // `allow` and `schemes`. You can find more information from: // https://www.w3.org/TR/CSP3/#strict-dynamic-usage 'strict-dynamic' => false, 'hashes' => [ 'sha256' => [ ], 'sha384' => [ // 'sha384-hash-value-with-base64-encode', ], 'sha512' => [ // 'sha512-hash-value-with-base64-encode', ], ], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr 'style-src-attr' => [ // ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem 'style-src-elem' => [ // ], // https://w3c.github.io/webappsec-trusted-types/dist/spec/#trusted-types-csp-directive 'trusted-types' => [ 'enable' => false, 'allow-duplicates' => false, 'default' => false, 'policies' => [ // ], ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src 'worker-src' => [ // ], ], ];` On 16 Feb 2023, at 01:40, bepsvpt ***@***.***> wrote: Does this mean disabling the CSP or just the script-src directive?