getodk · alxndrsn · Dec 2, 2025 · Nov 5, 2025 · Nov 18, 2025 · Nov 20, 2025
diff --git a/files/nginx/backend.conf b/files/nginx/backend.conf
@@ -0,0 +1,8 @@
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_pass http://service:8383;
+proxy_redirect off;
+
+# buffer requests, but not responses, so streaming out works.
+proxy_request_buffering on;
+proxy_buffering off;
+proxy_read_timeout 2m;
diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template
@@ -145,6 +145,7 @@ server {
 
     # More lax CSP for enketo-express:
     # Google Maps API: https://developers.google.com/maps/documentation/javascript/content-security-policy
+    proxy_hide_header Content-Security-Policy-Report-Only;
     add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' blob: https://maps.googleapis.com/ https://maps.google.com/ https://maps.gstatic.com/mapfiles/ https://fonts.gstatic.com/ https://fonts.googleapis.com/ https://translate.google.com https://translate.googleapis.com; font-src 'self' https://fonts.gstatic.com/; frame-src 'none'; img-src data: blob: jr: 'self' https://maps.google.com/maps/ https://maps.gstatic.com/mapfiles/ https://maps.googleapis.com/maps/ https://tile.openstreetmap.org/ https://translate.google.com; manifest-src 'none'; media-src blob: jr: 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' https://maps.googleapis.com/maps/api/js/ https://maps.google.com/maps/ https://maps.google.com/maps-api-v3/api/js/; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css; style-src-attr 'unsafe-inline'; report-uri /csp-report";
     #
     # Rules set to 'none' here would fallback to default-src if excluded.
@@ -154,15 +155,17 @@ server {
   }
   # End of Enketo Configuration.
 
+  location ~ ^/v\d+/oidc/callback$ {
+    include /usr/share/odk/nginx/common-headers.conf;
+    include /usr/share/odk/nginx/backend.conf;
+  }
+
   location ~ ^/v\d {
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_pass http://service:8383;
-    proxy_redirect off;
+    proxy_hide_header Content-Security-Policy-Report-Only;
+    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src https://translate.google.com https://translate.googleapis.com; img-src https://translate.google.com; report-uri /csp-report";
 
-    # buffer requests, but not responses, so streaming out works.
-    proxy_request_buffering on;
-    proxy_buffering off;
-    proxy_read_timeout 2m;
+    include /usr/share/odk/nginx/common-headers.conf;
+    include /usr/share/odk/nginx/backend.conf;
   }
 
   location @blank.html {

diff --git a/nginx.dockerfile b/nginx.dockerfile
@@ -32,6 +32,7 @@ COPY files/nginx/setup-odk.sh \
      /scripts/
 
 COPY files/nginx/redirector.conf /usr/share/odk/nginx/
+COPY files/nginx/backend.conf /usr/share/odk/nginx/
 COPY files/nginx/common-headers.conf /usr/share/odk/nginx/
 COPY files/nginx/robots.txt /usr/share/nginx/html
 COPY --from=intermediate client/dist/ /usr/share/nginx/html

diff --git a/test/nginx/mock-http-server/index.js b/test/nginx/mock-http-server/index.js
@@ -9,6 +9,10 @@ const app = express();
 
 app.use((req, res, next) => {
   console.log(new Date(), req.method, req.originalUrl);
+
+  // always set CSP header to detect (or allow) leaks from backend through to the client
+  res.set('Content-Security-Policy-Report-Only', 'default-src NOTE:FROM-BACKEND');
+
   next();
 });
 

diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js
@@ -16,6 +16,9 @@ const contentSecurityPolicies = {
     'img-src': 'https://translate.google.com',
     'report-uri':  '/csp-report',
   },
+  'backend-unmodified': {
+    'default-src': 'NOTE:FROM-BACKEND',
+  },
   'central-frontend': {
     'default-src':    none,
     'connect-src': [
@@ -353,6 +356,16 @@ describe('nginx config', () => {
     );
   });
 
+  it('/oidc/callback should serve Content-Security-Policy from backend', async () => {
+    // when
+    const res = await fetchHttps('/v1/oidc/callback');
+
+    // then
+    assert.equal(res.status, 200);
+    assert.equal(await res.text(), 'OK');
+    assertSecurityHeaders(res, { csp:'backend-unmodified' });
+  });
+
   it('should set x-forwarded-proto header to "https"', async () => {
     // when
     const res = await fetchHttps('/v1/reflect-headers');