Setting custom CSP headers

moritz · July 29, 2025, 12:26pm

I have problems setting custom CSP headers in my self-hosted Directus instance. I am using Coolify for deployment. There I can check the contents of the deployable compose file. The section in question is this:
CONTENT_SECURITY_POLICY_MEDIA_SRC: “‘self’ https://*.b-cdn.net blob:”
CONTENT_SECURITY_POLICY_SCRIPT_SRC: “‘self’ ‘unsafe-eval’ ‘unsafe-inline’”
CONTENT_SECURITY_POLICY_STYLE_SRC: “‘self’ ‘unsafe-inline’ blob:”

Yet, the applied CSP headers are this:
content-security-policy: script-src ‘self’ ‘unsafe-eval’;worker-src ‘self’ blob:;child-src ‘self’ blob:;img-src ‘self’ data: blob: https://raw.githubusercontent.com https://avatars.githubusercontent.com;media-src ‘self’;connect-src ‘self’ https://* wss://*;default-src ‘self’;base-uri ‘self’;font-src ‘self’ https: data:;form-action ‘self’;frame-ancestors ‘self’;object-src ‘none’;script-src-attr ‘none’;style-src ‘self’ https: ‘unsafe-inline’

Did anyone run into the same issue? Thanks!

ahmad_quvor · July 29, 2025, 6:31pm

I think there is a problem with naming because for me this works

CONTENT_SECURITY_POLICY_DIRECTIVES__IMG_SRC

Topic		Replies	Views
Preview Issues. (CSP related) [Directus Cloud] Help	3	30	July 30, 2025
How do I configure CORS for Directus? Help hosting	1	327	April 29, 2025
CORS issue when developing in local Help api	1	184	April 30, 2025
Official Directus MCP Server Showcase ai	13	460	August 5, 2025
Cannot see cms content Help tutorials	2	46	May 27, 2025

Setting custom CSP headers

Related topics