Setup Nginx as a proxy that adds a specific header to any responses


I’m putting together a few Docker containers to allow my team to spot XSS vulnerabilities in their apps by launching a Google Chrome instance using a particular proxy server. e.g.,

/Applications/Google Chrome.app/Contents/MacOS/Google Chrome --user-data-dir=/tmp --proxy-server=http://localhost:8080

Then they can navigate to any URLs, do some testing and check the results.

On port 8080 is an Nginx server which I use as a proxy to add a specific header to any responses:

Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri //localhost:9090

What this header will do is to report any CSP violations to localhost:9090 which runs a CSP report collector service.

The only thing that Nginx has to do is:

  1. Let any request through
  2. Intercept any response and add the header
  3. Let the response through

Here’s my current Nginx conf:

As you can see below I haven’t made any attempt to add the header yet (that’s fine I’ll manage this later), however I’m really struggling with point 3. I can see requests going through Nginx but nothing seems to come out of it.

events {
  worker_connections  1024;
}

http {
  server {
    listen 80;
    location / {
      proxy_pass $host;
    }
  }
}

How do I configure Nginx to do that? I’m also open to alternatives to Nginx if that’s simpler.