Nginx

Running Mastodon or any self-hosted platform means you inherit the fun parts of security too. CSP is one of those controls that looks simple until your admin UI breaks, media stops loading, and WebSockets quietly die in production. I’ve seen this happen a lot with self-hosted stacks: someone pastes a “secure CSP” from a random blog post, then spends the next two hours figuring out why avatars, custom themes, analytics, embeds, or ActionCable stopped working. ...

I’ve seen a bunch of teams do the same thing with Content Security Policy on Nginx: they add one header at the reverse proxy, ship it, and assume the app is now “protected.” Then analytics breaks, consent banners disappear, WebSocket calls fail, and somebody quietly removes the header on Friday evening. That usually happens because CSP at the reverse proxy layer is not just “set a header.” It’s policy design, inheritance, proxy behavior, and app rendering all tangled together. ...