As part of a third party audit my company's rails application was found not be serving the Content Security Policy (CSP) header for the default 404.html page (or any other of the default static pages from the rails public folder).
We would like to implement it, but we could not find resources on how to implement the CSP header in these static pages within rails.
The rails app runs with nginX WebServers.
The CSP header is already correctly added to all the non-static responses served by the app (this is configured in Rails).
So the questions:
After some research, it seems the static pages can have meta tag added and that should be enough for the compliance with the CSP audit.
Someone else asked about the security of the CSP meta tag in comparison to the header and this response tells us it is a good alternative to the header.
Because these static pages do not contain complex resources or scripts, adding this to the static pages head block should be enough:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self';">