How do you configure CSP headers on 20+ applications ?
from ohshit604@sh.itjust.works to selfhosted@lemmy.world on 02 Aug 06:30
https://sh.itjust.works/post/43279888
from ohshit604@sh.itjust.works to selfhosted@lemmy.world on 02 Aug 06:30
https://sh.itjust.works/post/43279888
I’ve been working on adding security headers to my reverse proxy and so far I believe to have gotten most of them except for Content Security Policies, I honestly can’t find a simplified way to apply a CSP to 20+ docker applications and hope folks of Lemmy know the best way to go about this.
I want to note that I never worked with headers in the past, I tried interpreting the Traefik documentation and Mozilla documentation as well as a bunch of random YT videos but can’t seem to get it right.
headers: headers: customRequestHeaders: X-Forwarded-Proto: https accessControlAllowMethods: - GET - OPTIONS - PUT accessControlMaxAge: 100 hostsProxyHeaders: - "X-Forwarded-Host" stsSeconds: 31536000 stsIncludeSubdomains: true stsPreload: true forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works. customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options contentTypeNosniff: true browserXssFilter: true contentSecurityPolicy: "" referrerPolicy: "same-origin" permissionsPolicy: "camera=(), microphone=(), geolocation=(), usb=()" customResponseHeaders: X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server server: "traefik"
threaded - newest
your in luck, I have been doing this at work.
First have a look at the report header Content-Security-Policy-Report-Only add things you know about, as that will allow you to log what you need to have setup. Then once you have a list of things you know you need, add them and what the logs again. adding in things as you see and verify them.
Also dont just add things in without checking that its in your code, you dont want to add
hack-me.com
by mistake.Do you happen to know of any self hosted report-ingestion, that allows me to check my csp and somewhat visualize them? I know there are services like report-uri and such, but they do cost a monthly fee and probably also have a privacy impact for my visitors
Sorry I dont, but our devs have some PHP to log requests to a file. On Monday will see if I can get that and make a docker image you can run
I looked in to this a while back and didn’t find anything complete. I ended up using a collector and feeding the reports in to my existing Loki and making my own Grafana dashboard.
I have started on a docker image that will allow you to collect the CSP reports 👉 github.com/mhzawadi/docker-csp-report
Its not working just yet, will work it this week
Thank you for this! I feel as if I got the idea however, failed on the execution. I added this to my
routers.yml
-To my understanding the
report-to
directive at the end adds a endpoint called/csp-report
yet in my testing it doesn’t appear to exist and just leads to 403, I’m likely doing something totally wrong but I appreciate you pointing me in the right direction!That’s fair, I’m certainly no wiz at programming and this is just self-hosted docker applications that I’ve jerry-rigged to work with one another.
Yeah that’s the gist, there need to be something on the end of
/csp-report
or it won’t work.Will have a look and see if I can make something
I started with this in 2021 mgdm.net/weblog/csp-logging-with-nginx/
At some point in 2024 i got Claude to take over this management. Now i have an agent that maintains this workflow, and all csp reports are in nginx/json
Is scripting an option? You could script adding the header.
this just in 👉 hub.docker.com/r/mhzawadi/csp-report
Ah bless!
I’ve been using Firefox extensions to make up my CSP’s and so far it’s been an absolute nightmare! Thank you for this tool!
will be adding it to my setup on Tuesday, so will see how well it works in anger
Is there any special configuration needed for it? Env variables, network interface, volumes & config files, etc?
I plan to set this up in a docker-compose file later this afternoon once I get some free time.
theres no config for it, it listens on port 8080. I need to expose the logs dir, but not done that yet. So all the logs will only be in the container, but you could point a mount at
/var/www/html/logs
Hey there! Following up on this, i got your application started however, it seems that this is more for folks who actually know PHP an HTML and less for folks like myself who just find Docker applications (Invidious, Homepage, RedLib) spin them up and rig them to work with one another so i don’t think this will work for me personally at the moment in time regardless seems like a great tool nonetheless!
Thanks again!
Oh, you shouldn’t need to do anything other then point a site at it.
Will update the readme when I get home
Edit: thanks for the feedback