I’ve been working on adding security headers to my reverse proxy and so far I believe to have gotten most of them except for Content Security Policies, I honestly can’t find a simplified way to apply a CSP to 20+ docker applications and hope folks of Lemmy know the best way to go about this.
I want to note that I never worked with headers in the past, I tried interpreting the Traefik documentation and Mozilla documentation as well as a bunch of random YT videos but can’t seem to get it right.
headers:
headers:
customRequestHeaders:
X-Forwarded-Proto: https
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
accessControlMaxAge: 100
hostsProxyHeaders:
- "X-Forwarded-Host"
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
contentTypeNosniff: true
browserXssFilter: true
contentSecurityPolicy: ""
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), usb=()"
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
server: "traefik"
that looks to be wotking, the last line is the health check.
The nect thing is to see if a test works, dies the bellow show up? (run from the docker host)
curl -i -X POST http://127.0.0.1:8432/ \ -H "application/reports+json" \ --data '{"csp-report":{"document-uri":"https://www.horwood.biz/","referrer":"https://www.horwood.biz/","violated-directive":"docker health check","effective-directive":"docker health check","original-policy":"docker health check","disposition":"docker health check","blocked-uri":"https://www.horwood.biz/","status-code":200,"script-sample":""}}'