Remove Google Analytics and Google Tag Manager from Content Security Policy

Removed Google Analytics and Google Tag Manager domains from the Content Security Policy headers to disable tracking and analytics functionality on the CRM application. This change affects both the main CSP header and the legacy X-Content-Security-Policy header for backward compatibility.

crm.mcmed.ru

@@ -29,8 +29,10 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://cdn.jsdelivr.net ws: wss:; frame-src 'self' https://www.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
-    add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://cdn.jsdelivr.net ws: wss:; frame-src 'self' https://www.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://cdn.jsdelivr.net ws: wss:; frame-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
+    add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://cdn.jsdelivr.net ws: wss:; frame-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
+    # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://cdn.jsdelivr.net ws: wss:; frame-src 'self' https://www.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
+    # add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://cdn.jsdelivr.net ws: wss:; frame-src 'self' https://www.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
 
@@ -109,6 +111,11 @@ server {
     # Защита от атак на сервер
     server_tokens off;
     add_header X-Powered-By "CRM Security Server" always;
+    
+    # Защита от client-side desync атак
+    proxy_request_buffering off;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
 
     # Логирование
     access_log /var/log/nginx/crm.access.log;

crm.mcmed.ru.work

@@ -0,0 +1 @@
+/etc/nginx/sites-available/crm.mcmed.ru