Update content security policy to allow API

nhsconnect · Dec 8, 2023 · 4959587 · 4959587
1 parent 97275a2
commit 4959587
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/app/docker/nginx.conf b/app/docker/nginx.conf
@@ -4,10 +4,10 @@ events {
 http {
     server {
     listen       80;
-    add_header Cache-Control "no-store, no-cache" always;
+    add_header Cache-Control "no-store" always;
     add_header Pragma "no-cache" always;
     add_header Strict-Transport-Security "max-age=63072000" always;
-    add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'" always;
+    add_header Content-Security-Policy "frame-ancestors 'none'; img-src 'self'; script-src 'self'; style-src 'self'" always;
     add_header Referrer-Policy "no-referrer" always;
     add_header Permissions-Policy "Permissions-Policy: accelerometer=(self), ambient-light-sensor=(self), autoplay=(self), battery=(self), camera=(self), cross-origin-isolated=(self), display-capture=(self), document-domain=(self), encrypted-media=(self), execution-while-not-rendered=(self), execution-while-out-of-viewport=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), keyboard-map=(self), magnetometer=(self), microphone=(self), midi=(self), navigation-override=(self), payment=(self), picture-in-picture=(self), publickey-credentials-get=(self), screen-wake-lock=(self), sync-xhr=(self), usb=(self), web-share=(self), xr-spatial-tracking=(self), clipboard-read=(self), clipboard-write=(self), gamepad=(self), speaker-selection=(self), conversion-measurement=(self), focus-without-user-activation=(self), hid=(self), idle-detection=(self), interest-cohort=(self), serial=(self), sync-script=(self), trust-token-redemption=(self), unload=(self), window-placement=(self), vertical-scroll=(self)" always;
     add_header X-Content-Type-Options "nosniff" always;