Hide content-security-policy in response header?

System Information
  • Strapi Version: v4
  • Operating System:
  • Database:
  • Node Version:
  • NPM Version:
  • Yarn Version:

Hi, team

I added custom security policy for aws s3 bucket as this:


module.exports = [
  // ...
  {
    name: 'strapi::security',
    config: {
      contentSecurityPolicy: {
        useDefaults: true,
        directives: {
          'connect-src': ["'self'", 'https:'],
          'img-src': [
            "'self'",
            'data:',
            'blob:',
            'market-assets.strapi.io',
            'yourBucketName.s3.yourRegion.amazonaws.com',
          ],
          'media-src': [
            "'self'",
            'data:',
            'blob:',
            'market-assets.strapi.io',
            'yourBucketName.s3.yourRegion.amazonaws.com',
          ],
          upgradeInsecureRequests: null,
        },
      },
    },
  },
  // ...
]

But I see these detail configs in the respose header:

< content-security-policy: connect-src 'self' https:;img-src 'self' data: blob: market-assets.strapi.io https://mydomain.com;media-src 'self' data: blob: market-assets.strapi.io https://mydomain.com;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline'

Is this expected? And is this safe to expose this to public?