Set Content-Security-Policy with always setifempty to avoid duplicates

jrafanie · jrafanie · commit 4a6cbe050a98 · 2026-03-06T16:23:35.000-05:00
Use 'Header always setifempty' instead of 'Header always set' to prevent
duplicate CSP headers when Rails generates error responses (e.g., 404).
This ensures CSP is set for error responses while avoiding conflicts with
Rails SecureHeaders gem.

Ref: CP4AIOPS-25046
diff --git a/COPY/etc/httpd/conf.d/manageiq-https-application.conf b/COPY/etc/httpd/conf.d/manageiq-https-application.conf
@@ -30,7 +30,7 @@ SSLCertificateKeyFile /var/www/miq/vmdb/certs/server.cer.key
   Header always set Strict-Transport-Security   "max-age=631138519"
   # CSP for static assets: strict policy since these are pre-compiled external files
   # No unsafe-inline needed - all scripts/styles are external resources
-  Header set Content-Security-Policy            "default-src 'self'; base-uri 'self'; child-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; worker-src 'self'; font-src 'self' fonts.gstatic.com fonts.googleapis.com; img-src 'self' data:; style-src 'self' fonts.googleapis.com fonts.gstatic.com; report-uri /dashboard/csp_report; report-to csp-endpoint"
+  Header always setifempty Content-Security-Policy "default-src 'self'; base-uri 'self'; child-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; worker-src 'self'; font-src 'self' fonts.gstatic.com fonts.googleapis.com; img-src 'self' data:; style-src 'self' fonts.googleapis.com fonts.gstatic.com; report-uri /dashboard/csp_report; report-to csp-endpoint"
   Header set Report-To                          "{\"group\":\"csp-endpoint\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"/dashboard/csp_report\"}]}"
   Header set X-Content-Type-Options             "nosniff"
   Header set X-Frame-Options                    "SAMEORIGIN"
