5 months ago

Overwrite Nginx Content-Security-Policy within PHP?

Posted 5 months ago by click


I'm wondering if it possible to overwrite the Content-Security-Policy configured in an Nginx configuration from within PHP (Laravel).

Currently I'm unable to do so and I can't find anything about it on the web if this is even possible or not.

Nginx config

add_header Content-Security-Policy "default-src 'self'";


Route::get('wiki', function(){
    return response('<iframe src=""></iframe>')->withHeaders([
        'Content-Security-Policy' => 'default-src',


content-security-policy: default-src
content-security-policy: default-src 'self'

Result Wikipedia is not loaded in the iframe. If I change the nginx config to: default-src wikipedia is loaded into the iframe.

Anyone that has experience with this? Is it even possible to overwrite CSP headers from within PHP if they are already set.


Please sign in or create an account to participate in this conversation.