Custom HTML header tags
- Tier: Free, Premium, Ultimate
- Offering: GitLab Self-Managed
If you self-manage a GitLab instance in the EU, or any jurisdiction that requires a cookie consent banner, additional HTML header tags are needed to add scripts and stylesheets.
Security implications
Before enabling this feature, you should understand the security implications this might have.
A previously legit external resource could end up being compromised and then used to extract pretty much any data from any user in the GitLab instance. For that reason, you should never add resources from untrusted external sources. If possible, you should always use integrity checks like Subresource Integrity with third-party resources to confirm the authenticity of the resources that are loaded.
Limit the functionality you are adding by using HTML header tags to the minimum. Otherwise, it could cause also stability or functionality issues if you, for example, interact with other application code from GitLab.
Add a custom HTML header tag
You must add the externals sources to the Content Security Policy which is
available in the content_security_policy
option. For the following example, you
must extend the script_src
and style_src
.
To add a custom HTML header tag:
Edit
/etc/gitlab/gitlab.rb
and add your configuration. For example:gitlab_rails['custom_html_header_tags'] = <<-'EOS' <script src="https://example.com/cookie-consent.js" integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7" crossorigin="anonymous"></script> <link rel="stylesheet" href="https://example.com/cookie-consent.css" integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB" crossorigin="anonymous"> EOS gitlab_rails['content_security_policy'] = { # extend the following directives 'directives' => { 'script_src' => "'self' 'unsafe-eval' https://example.com https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com", 'style_src' => "'self' 'unsafe-inline' https://example.com", } }
Save the file, and then reconfigure and restart GitLab.
Edit
/home/git/gitlab/config/gitlab.yml
:production: &base gitlab: custom_html_header_tags: | <script src="https://example.com/cookie-consent.js" integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7" crossorigin="anonymous"></script> <link rel="stylesheet" href="https://example.com/cookie-consent.css" integrity="sha384-+/M6kredJcxdsqkczBUjMLvqyHb1K/JThDXWsBVxMEeZHEaMKEOEct339VItX1zB" crossorigin="anonymous"> content_security_policy: directives: script_src: "'self' 'unsafe-eval' https://example.com http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" style_src: "'self' 'unsafe-inline' https://example.com"
Save the file and restart GitLab:
# For systems running systemd sudo systemctl restart gitlab.target # For systems running SysV init sudo service gitlab restart
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support