I’ve been working on adding security headers to my reverse proxy and so far I believe to have gotten most of them except for Content Security Policies, I honestly can’t find a simplified way to apply a CSP to 20+ docker applications and hope folks of Lemmy know the best way to go about this.
I want to note that I never worked with headers in the past, I tried interpreting the Traefik documentation and Mozilla documentation as well as a bunch of random YT videos but can’t seem to get it right.
headers:
headers:
customRequestHeaders:
X-Forwarded-Proto: https
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
contentSecurityPolicy: ""
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
server: "traefik"
Oh, you shouldn’t need to do anything other then point a site at it.
Will update the readme when I get home
Edit: thanks for the feedback
Okay so going at it again, i think i now understand the reason for the Docker label now, here is my current
docker-compose.ymli made some tweaks to the one from your github but i can’t seem to get a log file to generate.I suspected it was a permissions issue on the volume mount so i ran
chmod 777on the./config/cspdirectory but still wont get a log file.Volume directory permissions:
user@debian:~/compose$ ls config/ | grep csp; ls config/csp/; ls config/csp/logs/ drwxrwxrwx 3 user user 4096 Aug 9 09:11 csp total 12 drwxrwxrwx 3 user user 4096 Aug 9 09:11 . drwxr-xr-x 44 user user 4096 Aug 8 16:41 .. drwxrwxrwx 2 user user 4096 Aug 9 09:04 logs total 8 drwxrwxrwx 2 user user 4096 Aug 9 09:04 . drwxrwxrwx 3 user user 4096 Aug 9 09:11 ..docker-compose.yml:
csp-report: image: mhzawadi/csp-report networks: main: ipv4_address: 172.18.0.38 #ports: # - "8432:8080" ports: - target: 8080 published: 8432 mode: host container_name: csp-report environment: - TZ=America/Vancouver labels: - "csp_report.url=192.168.1.199:3000" volumes: - ./config/csp/logs:/var/www/html/logsLogs from the docker container:
user@debian:~/compose$ sudo docker compose up -d csp-report --force-recreate; sudo docker logs csp-report -f WARN[0000] The "POSTGRES_DB" variable is not set. Defaulting to a blank string. [+] Running 1/1 ✔ Container csp-report Started 0.5s /config/start.sh: Launching Unit daemon to perform initial configuration... 2025/08/09 16:21:18 [info] 12#12 unit 1.34.1 started 2025/08/09 16:21:18 [info] 14#14 discovery started BusyBox v1.37.0 (2025-08-05 16:42:11 UTC) multi-call binary. Usage: seq [-w] [-s SEP] [FIRST [INC]] LAST Print numbers from FIRST to LAST, in steps of INC. FIRST, INC default to 1. -w Pad with leading zeros -s SEP String separator 2025/08/09 16:21:18 [notice] 14#14 module: php 8.4.2 "/usr/lib/unit/modules/php84.unit.so" 2025/08/09 16:21:18 [info] 13#13 controller started 2025/08/09 16:21:18 [notice] 13#13 process 14 exited with code 0 2025/08/09 16:21:18 [info] 18#18 router started 2025/08/09 16:21:18 [info] 18#18 OpenSSL 3.3.4 1 Jul 2025, 30300040 { "certificates": {}, "config": { "listeners": {}, "routes": [], "applications": {} }, "status": { "modules": { "php": { "version": "8.4.2", "lib": "/usr/lib/unit/modules/php84.unit.so" } }, "connections": { "accepted": 0, "active": 0, "idle": 0, "closed": 0 }, "requests": { "total": 0 }, "applications": {} } } % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 2025/08/09 16:21:18 [info] 20#20 "csp_report" prototype started 2025/08/09 16:21:18 [info] 21#21 "csp_report" application started { "success": "Reconfiguration done." } 100 413 100 43 100 370 2808 24162 --:--:-- --:--:-- --:--:-- 27533 /config/start.sh: Stopping Unit daemon after initial configuration... 2025/08/09 16:21:18 [notice] 13#13 process 17 exited with code 0 2025/08/09 16:21:18 [notice] 20#20 app process 21 exited with code 0 2025/08/09 16:21:18 [alert] 20#20 sendmsg(13, -1, -1, 2) failed (32: Broken pipe) 2025/08/09 16:21:18 [notice] 13#13 process 18 exited with code 0 2025/08/09 16:21:18 [notice] 13#13 process 20 exited with code 0 BusyBox v1.37.0 (2025-08-05 16:42:11 UTC) multi-call binary. Usage: seq [-w] [-s SEP] [FIRST [INC]] LAST Print numbers from FIRST to LAST, in steps of INC. FIRST, INC default to 1. /config/start.sh: Unit initial configuration complete; ready for start up... -w Pad with leading zeros -s SEP String separator 2025/08/09 16:21:18 [info] 1#1 unit 1.34.1 started 2025/08/09 16:21:18 [info] 31#31 discovery started 2025/08/09 16:21:18 [notice] 31#31 module: php 8.4.2 "/usr/lib/unit/modules/php84.unit.so" 2025/08/09 16:21:18 [info] 1#1 controller started 2025/08/09 16:21:18 [notice] 1#1 process 31 exited with code 0 2025/08/09 16:21:18 [info] 33#33 router started 2025/08/09 16:21:18 [info] 33#33 OpenSSL 3.3.4 1 Jul 2025, 30300040 2025/08/09 16:21:18 [info] 34#34 "csp_report" prototype started 2025/08/09 16:21:18 [info] 35#35 "csp_report" application started 127.0.0.1 - - [09/Aug/2025:16:21:23 +0000] "POST / HTTP/1.1" 200 7 "-" "curl/8.12.1"that looks to be wotking, the last line is the health check.
The nect thing is to see if a test works, dies the bellow show up? (run from the docker host)
curl -i -X POST http://127.0.0.1:8432/ \ -H "application/reports+json" \ --data '{"csp-report":{"document-uri":"https://www.horwood.biz/","referrer":"https://www.horwood.biz/","violated-directive":"docker health check","effective-directive":"docker health check","original-policy":"docker health check","disposition":"docker health check","blocked-uri":"https://www.horwood.biz/","status-code":200,"script-sample":""}}'