https://developers.google.com/web/fundamentals/security/csp/?hl=ja
nginx でCSP
sites-available/default server { listen 443 ssl http2 default_server; server_name example.org; # More config here add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline' fonts.googleapis.com ssl.google-analytics.com; font-src 'self' fonts.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' ssl.google-analytics.com; report-uri https://example.org/_csp"; location = /_csp { access_log /var/log/nginx/csp.log CSP; proxy_pass http://127.0.0.1/_csp_response; } } server { listen 80 default_server; server_name example.org; # More config here location /_csp_response { access_log off; return 204; } }...
At first glance, the proxy_pass directive may look a bit suspicious. The reason it’s there is because if you just do return 204 directly from the /_csp location, the request body is not logged in the csp.log file. By using the proxy_pass hack, it is. You may also notice in this example I’m only configuring the older report-uri directive.
Nginx で POST データのログをフィルタする | GMOインターネット 次世代システム研究室
ダブルクォーテーションが\x22になってるけど・・・・だいたいOK。
sed -E 's/\\x22/"/g'