I’ve been working on adding security headers to my reverse proxy and so far I believe to have gotten most of them except for Content Security Policies, I honestly can’t find a simplified way to apply a CSP to 20+ docker applications and hope folks of Lemmy know the best way to go about this.

I want to note that I never worked with headers in the past, I tried interpreting the Traefik documentation and Mozilla documentation as well as a bunch of random YT videos but can’t seem to get it right.

    headers:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: https
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
        customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
        contentTypeNosniff: true
        browserXssFilter: true
        contentSecurityPolicy: ""
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), usb=()"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
          server: "traefik"
  • ohshit604@sh.itjust.worksOPEnglish
    2·
    4 days ago

    First have a look at the report header Content-Security-Policy-Report-Only add things you know about, as that will allow you to log what you need to have setup. Then once you have a list of things you know you need, add them and what the logs again. adding in things as you see and verify them.

    Thank you for this! I feel as if I got the idea however, failed on the execution. I added this to my routers.yml -

            contentSecurityPolicyReportOnly: "child-src; connect-src; default-src; font-src; frame-src; img-src; manifest-src; media-src; object-src; script-src; script-src-elem; script-src-attr; style-src; style-src-elem; style-src-attr; worker-src; report-to csp-report"

    To my understanding the report-to directive at the end adds a endpoint called /csp-report yet in my testing it doesn’t appear to exist and just leads to 403, I’m likely doing something totally wrong but I appreciate you pointing me in the right direction!

    Also dont just add things in without checking that its in your code, you dont want to add hack-me.com by mistake.

    That’s fair, I’m certainly no wiz at programming and this is just self-hosted docker applications that I’ve jerry-rigged to work with one another.