Custom HTML header tags

Tier: Free, Premium, Ultimate
Offering: GitLab Self-Managed

History

If you self-manage a GitLab instance in the EU, or any jurisdiction that requires a cookie consent banner, additional HTML header tags are needed to add scripts and stylesheets.

Security implications

Before enabling this feature, you should understand the security implications this might have.

A previously legit external resource could end up being compromised and then used to extract pretty much any data from any user in the GitLab instance. For that reason, you should never add resources from untrusted external sources. If possible, you should always use integrity checks like Subresource Integrity with third-party resources to confirm the authenticity of the resources that are loaded.

Limit the functionality you are adding by using HTML header tags to the minimum. Otherwise, it could cause also stability or functionality issues if you, for example, interact with other application code from GitLab.

Add a custom HTML header tag

You must add the externals sources to the Content Security Policy which is available in the content_security_policy option. For the following example, you must extend the script_src and style_src.

To add a custom HTML header tag:

Edit /etc/gitlab/gitlab.rb and add your configuration. For example:

gitlab_rails['custom_html_header_tags'] = <<-'EOS'
<script src="https://example.com/cookie-consent.js" integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7" crossorigin="anonymous"></script>
<link rel="stylesheet" href="https://example.com/cookie-consent.css" integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB" crossorigin="anonymous">
EOS

gitlab_rails['content_security_policy'] = {
# extend the following directives
  'directives' => {
    'script_src' => "'self' 'unsafe-eval' https://example.com https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com",
    'style_src' => "'self' 'unsafe-inline' https://example.com",
  }
 }

Save the file, and then reconfigure and restart GitLab.

Edit /home/git/gitlab/config/gitlab.yml:

production: &base
  gitlab:
    custom_html_header_tags: |
      <script src="https://example.com/cookie-consent.js" integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7"         crossorigin="anonymous"></script>
      <link rel="stylesheet" href="https://example.com/cookie-consent.css" integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB"        crossorigin="anonymous">
    content_security_policy:
      directives:
        script_src: "'self' 'unsafe-eval' https://example.com http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
        style_src: "'self' 'unsafe-inline' https://example.com"

Save the file and restart GitLab:

# For systems running systemd
sudo systemctl restart gitlab.target

# For systems running SysV init
sudo service gitlab restart

Docs

Edit this page to fix an error or add an improvement in a merge request.

Create an issue to suggest an improvement to this page.

Product

Create an issue if there's something you don't like about this feature.

Propose functionality by submitting a feature request.

Feature availability and product trials

View pricing to see all GitLab tiers and features, or to upgrade.

Try GitLab for free with access to all features for 30 days.

Get help

If you didn't find what you were looking for, search the docs.

If you want help with something specific and could use community support, post on the GitLab forum.

For problems setting up or using this feature (depending on your GitLab subscription).

Request support