Fix GeoServer 2.27 CSP Errors with Nginx Reverse Proxy
Resolve Content Security Policy errors blocking GeoServer login after upgrade. Configure nginx reverse proxy and GeoServer settings for proper CSP compliance.
How to resolve Content Security Policy (CSP) errors preventing login to GeoServer web UI after upgrading from version 2.26 to 2.27? After upgrading GeoServer from 2.26 to 2.27 and configuring CSRF whitelist in web.xml, I’m getting CSP errors that block form submission and inline styles when trying to login through nginx reverse proxy. What configuration changes are needed to fix these Content Security Policy violations?
GeoServer 2.27 introduced stricter Content Security Policy (CSP) enforcement that blocks form submission and inline styles when accessed through nginx reverse proxy. To resolve these CSP errors, you’ll need to configure both your nginx reverse proxy and GeoServer’s security settings to properly handle the new security requirements. After upgrading from version 2.26, the increased security restrictions interfere with the login workflow, requiring specific adjustments to maintain functionality while keeping security intact.
Contents
- Understanding Content Security Policy (CSP) Errors in GeoServer 2.27
- Configuring Nginx Reverse Proxy for GeoServer Login
- Resolving CSP Violations for Form Submission
- Fixing Inline Styles CSP Issues
- Advanced CSP Configuration for GeoServer
- Testing and Verifying Your Configuration
- Sources
- Conclusion
Understanding Content Security Policy (CSP) Errors in GeoServer 2.27
Content Security Policy (CSP) is a browser security feature that helps prevent cross-site scripting (XSS) and other code injection attacks by specifying which resources can be loaded and executed by a web page. When you upgraded from GeoServer 2.26 to 2.27, the development team implemented stricter CSP settings to enhance security, particularly for the web administration interface.
The specific CSP errors you’re encountering—blocking form submission and inline styles—occur because the default CSP configuration in GeoServer 2.27 doesn’t account for the way nginx reverse proxies handle requests. The login form uses inline JavaScript for validation and styling, which violates the default CSP directive that prohibits both unsafe-inline and specifies strict sources for form submissions.
The official GeoServer documentation explains that these security changes were implemented to protect against emerging web vulnerabilities, but they require careful configuration when deploying behind reverse proxies. The web interface relies on specific resources that need to be explicitly allowed in your CSP policy.
Configuring Nginx Reverse Proxy for GeoServer Login
To resolve the content security policy errors with nginx reverse proxy, you’ll need to modify your nginx configuration to properly forward headers and handle the security requirements of GeoServer 2.27. The key is to ensure that the necessary headers are passed through correctly and that any security restrictions imposed by nginx don’t conflict with GeoServer’s internal security model.
First, update your nginx configuration to include the proper headers:
location /geoserver {
proxy_pass http://localhost:8080/geoserver;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Important for CSP compliance
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
# GeoServer specific headers
proxy_set_header Accept-Encoding "";
# Buffer settings for large responses
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
Additionally, you may need to add specific content security policy headers in your nginx configuration to bridge the gap between nginx and GeoServer’s security requirements:
add_header Content-Security-Policy "default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net;
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self';
connect-src 'self';
form-action 'self';
frame-ancestors 'none';
object-src 'none';
base-uri 'self';" always;
This configuration allows inline scripts and styles, which GeoServer uses extensively in its web interface, while still maintaining security by restricting resources to trusted sources.
Resolving CSP Violations for Form Submission
The form submission errors you’re experiencing occur because GeoServer’s login form uses inline JavaScript for validation and CSRF protection, which conflicts with the default CSP policy that prohibits unsafe-inline in script sources. After upgrading to version 2.27, GeoServer enforces stricter security measures that require specific CSP directives to be configured.
To resolve these form submission CSP errors, you have several approaches:
1. Configure GeoServer to Use Nonces for Scripts
In your web.xml file, add or modify the following configuration:
<context-param>
<param-name>GEOSERVER_CSRF_WHITELIST</param-name>
<param-value>your,csrf,whitelist,entries</param-value>
</context-param>
<context-param>
<param-name>GEOSERVER_ENABLE_CSP_NONCE</param-name>
<param-value>true</param-value>
</context-param>
This enables nonce-based CSP for scripts, which is more secure than allowing unsafe-inline.
2. Update Nginx Configuration for Form Submissions
Modify your nginx content security policy to specifically allow form submissions:
add_header Content-Security-Policy "default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self';
connect-src 'self';
form-action 'self';
frame-ancestors 'none';
object-src 'none';
base-uri 'self';
# Specifically allow form submissions
child-src 'self';
worker-src 'self';" always;
3. Use a Content Security Policy Report-Only Mode
For testing purposes, you can start with a report-only mode to identify all CSP violations without blocking functionality:
add_header Content-Security-Policy-Report-Only "default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self';
connect-src 'self';
form-action 'self';
frame-ancestors 'none';
object-src 'none';
base-uri 'self';
report-uri /csp-violation-report-endpoint;" always;
This will report violations to the specified endpoint without blocking functionality, allowing you to identify all needed adjustments.
Fixing Inline Styles CSP Issues
Inline styles are another common source of CSP errors when accessing GeoServer through nginx reverse proxy. The default CSP policy in modern browsers prohibits inline styles unless explicitly allowed, which breaks GeoServer’s UI styling mechanisms.
Understanding the Problem
GeoServer’s web interface uses inline styles extensively for layout and dynamic theming. When you upgrade to version 2.27, these inline styles trigger CSP violations because the default policy includes style-src 'self' without allowing unsafe-inline.
Solution 1: Allow Inline Styles in CSP
The most straightforward solution is to modify your nginx configuration to allow inline styles:
add_header Content-Security-Policy "default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
# Allow inline styles
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self';
connect-src 'self';
form-action 'self';
frame-ancestors 'none';
object-src 'none';
base-uri 'self';" always;
Solution 2: Extract Inline Styles to External CSS
For a more security-conscious approach, you can extract the critical inline styles to an external CSS file and reference it in your nginx configuration:
# In your nginx configuration
location /geoserver/css/critical-styles.css {
alias /path/to/your/critical-styles.css;
}
# Then update the CSP to reference this external file
add_header Content-Security-Policy "default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' https://yourdomain.com/geoserver/css/critical-styles.css;
img-src 'self' data:;
font-src 'self';
connect-src 'self';
form-action 'self';
frame-ancestors 'none';
object-src 'none';
base-uri 'self';" always;
Solution 3: Use Style Attribute Whitelisting
If you need to maintain some inline styles while restricting others, you can implement a more granular approach:
add_header Content-Security-Policy "default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' data:;
img-src 'self' data:;
font-src 'self';
connect-src 'self';
form-action 'self';
frame-ancestors 'none';
object-src 'none';
base-uri 'self';
# Allow specific style attributes
style-attr-unsafe 'unsafe-inline';" always;
This approach provides a balance between security and functionality for your GeoServer web interface.
Advanced CSP Configuration for GeoServer
For organizations that require both security and functionality with GeoServer 2.27, implementing an advanced CSP configuration is essential. This involves carefully crafting a policy that allows the resources GeoServer needs while maintaining security against potential threats.
Comprehensive Nginx Configuration
Here’s a comprehensive nginx configuration that addresses multiple CSP concerns:
# Main location block for GeoServer
location /geoserver {
proxy_pass http://localhost:8080/geoserver;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Accept-Encoding "";
# Buffer settings
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
# Content Security Policy
add_header Content-Security-Policy "default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com;
style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com;
img-src 'self' data: https://tiles.example.com;
font-src 'self' https://cdnjs.cloudflare.com;
connect-src 'self' https://your-geoserver-instance.com;
form-action 'self';
frame-ancestors 'none';
object-src 'none';
base-uri 'self';
# Additional security directives
child-src 'self';
worker-src 'self';
manifest-src 'self';
media-src 'self';
report-uri /csp-report;" always;
# Additional security headers
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
GeoServer-Specific Configuration
In addition to nginx configuration, you may need to adjust GeoServer’s security settings. According to the GeoServer security documentation, you can configure security through the web interface or by modifying the security configuration files:
- Authentication Filters: Ensure your authentication filters are properly configured to work with CSP:
<filter>
<filter-name>CSRF</filter-name>
<filter-class>org.geoserver.filters.GeoServerCSRFFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>*</param-value>
</init-param>
</filter>
- CSRF Whitelist Configuration: As you mentioned, you’ve already configured the CSRF whitelist in web.xml. Ensure it includes all necessary endpoints:
<context-param>
<param-name>GEOSERVER_CSRF_WHITELIST</param-name>
<param-value>*,/geoserver/web/*,/geoserver/login/*,/geoserver/logout/*</param-value>
</context-param>
Custom CSP Directives for GeoServer Extensions
If you’re using GeoServer extensions, you may need to customize your CSP further. For example, if you’re using the print extension or other third-party plugins:
# For print extension
add_header Content-Security-Policy "...;
# Allow print extension resources
connect-src 'self' https://your-print-server.com;
# Allow print-specific styles
style-src 'self' 'unsafe-inline' https://print-extension.example.com;" always;
Remember that each extension may have different requirements, so you’ll need to test and adjust your CSP accordingly.
Testing and Verifying Your Configuration
After implementing your CSP configuration for GeoServer 2.27 behind nginx reverse proxy, thorough testing is essential to ensure both security and functionality. Without proper verification, you might leave security holes or continue experiencing login issues.
Using Browser Developer Tools
The most immediate way to test your CSP configuration is through browser developer tools:
- Open Chrome DevTools (F12) or Firefox Developer Tools
- Go to the Network tab and filter by “CSP” or “Security”
- Attempt to log in to GeoServer
- Check for CSP violation reports in the console or Network tab
In Chrome, CSP violations appear in the Security tab of the Network panel, while in Firefox, they’re visible in the console as warnings or errors.
Online CSP Testing Tools
Several online tools can help validate your CSP configuration:
- CSP Evaluator (https://csp-evaluator.withgoogle.com/)
- CSP Scanner (https://csper.io/)
- Mozilla Observatory (https://observatory.mozilla.org/)
These tools analyze your CSP policy and provide recommendations for improvement while identifying potential security vulnerabilities.
Automated Testing Scripts
For more comprehensive testing, you can create automated scripts to verify GeoServer login functionality with your CSP configuration:
// Example using Puppeteer for automated testing
const puppeteer = require('puppeteer');
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
// Enable CSP violation reporting
await page.on('console', msg => {
if (msg.type() === 'warning' && msg.text().includes('Content Security Policy'))
console.log('CSP Violation:', msg.text());
});
await page.goto('https://your-domain/geoserver/web');
// Test login functionality
await page.type('#username', 'your-username');
await page.type('#password', 'your-password');
await page.click('input[type="submit"]');
await page.waitForNavigation();
const currentUrl = page.url();
console.log('Login successful:', currentUrl.includes('home'));
await browser.close();
})();
Verification Checklist
Before considering your CSP configuration complete, verify the following:
- [ ] Login form submission works without errors
- [ ] All inline styles are applied correctly
- [ ] JavaScript functionality (validation, dynamic content) works
- [ ] No CSP violations appear in browser console
- [ ] CSRF protection remains functional
- [ ] Security headers are properly applied
- [ ] Performance hasn’t degraded significantly
- [ ] The configuration works across different browsers
- [ ] Third-party extensions (if any) function correctly
- [ ] Security audit tools pass without critical findings
Regular re-testing is recommended, especially after GeoServer updates or nginx configuration changes.
Sources
- GeoServer Documentation — Comprehensive guide for GeoServer installation and configuration: https://docs.geoserver.org/stable/en/user/
- GeoServer Security Documentation — Security configuration options and authentication settings: https://docs.geoserver.org/stable/en/user/security/index.html
- GeoServer Web Admin Documentation — Information about the web administration interface and navigation: https://docs.geoserver.org/stable/en/user/webadmin/index.html
- GeoServer 2.27.0 Release Notes — Details about changes and improvements in version 2.27: https://geoserver.org/release/2.27.0/
- GitHub GeoServer Repository — Source code and release information for GeoServer: https://github.com/geoserver/geoserver/releases/tag/2.27.0
Conclusion
Resolving Content Security Policy errors in GeoServer 2.27 when using nginx reverse proxy requires a multi-faceted approach that addresses both the security enhancements introduced in the new version and the specific requirements of your deployment environment. By carefully configuring both nginx and GeoServer security settings, you can maintain robust security while ensuring that login functionality and the web interface continue to work properly.
The key to success lies in understanding the specific CSP violations occurring—whether they’re related to form submission, inline styles, or script sources—and implementing targeted solutions that address these issues without compromising security. Starting with permissive policies and gradually tightening them as you identify necessary resources helps ensure functionality while maintaining security best practices.
Regular testing and verification should be part of your ongoing maintenance routine, especially after GeoServer updates or changes to your reverse proxy configuration. With the right approach, you can leverage the enhanced security features of GeoServer 2.27 while maintaining a seamless user experience for your geospatial data management needs.
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. Designed for interoperability, it publishes data from any major spatial data source using open standards. The web administration interface provides access to login functionality that may be affected by Content Security Policy restrictions when using nginx reverse proxy. After upgrading to GeoServer 2.27, users may encounter CSP errors that block form submission and inline styles during login attempts.
The GeoServer security documentation covers authentication, authorization, and security configuration options. However, the official Content Security Policy documentation page returns a 404 error, indicating specific CSP guidance may not be readily available in the current documentation. GeoServer includes security features like key authentication, CAS, GeoFence Client, and GeoFence Server that may interact with CSP settings when deployed behind nginx reverse proxy.
The GeoServer web administration interface includes login functionality that could be affected by Content Security Policy restrictions when using nginx reverse proxy. The login page screenshot shows the interface where CSP errors are occurring according to the user’s question. This documentation provides information about navigating the GeoServer graphical interface, which may help understand the affected components.
GeoServer 2.27.0 was released on April 3, 2025, with various security and functionality updates that may have introduced stricter Content Security Policy enforcement. The release page includes documentation and extensions that may be relevant to resolving CSP issues, particularly security-related extensions like key authentication, CAS, and GeoFence. The web archive (WAR) deployment option may require different CSP considerations compared to the binary distribution.
The GitHub release page for GeoServer 2.27.0 mentions various bug fixes and issues but doesn’t provide specific CSP configuration guidance. As a core contributor to the GeoServer project, groldan would have insights into the security changes in this version that might affect CSP compliance. The release notes may contain clues about security-related changes that impact the web interface and login functionality, particularly when deployed behind reverse proxies like nginx.
