I’ve been working on adding security headers to my reverse proxy and so far I believe to have gotten most of them except for Content Security Policies, I honestly can’t find a simplified way to apply a CSP to 20+ docker applications and hope folks of Lemmy know the best way to go about this.
I want to note that I never worked with headers in the past, I tried interpreting the Traefik documentation and Mozilla documentation as well as a bunch of random YT videos but can’t seem to get it right.
headers:
headers:
customRequestHeaders:
X-Forwarded-Proto: https
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
contentSecurityPolicy: ""
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
server: "traefik"
Do you happen to know of any self hosted report-ingestion, that allows me to check my csp and somewhat visualize them? I know there are services like report-uri and such, but they do cost a monthly fee and probably also have a privacy impact for my visitors
I looked in to this a while back and didn’t find anything complete. I ended up using a collector and feeding the reports in to my existing Loki and making my own Grafana dashboard.
Sorry I dont, but our devs have some PHP to log requests to a file. On Monday will see if I can get that and make a docker image you can run
I have started on a docker image that will allow you to collect the CSP reports 👉 https://github.com/mhzawadi/docker-csp-report
Its not working just yet, will work it this week