How do you configure CSP headers on 20+ applications ?
from ohshit604@sh.itjust.works to selfhosted@lemmy.world on 02 Aug 06:30
https://sh.itjust.works/post/43279888

I’ve been working on adding security headers to my reverse proxy and so far I believe to have gotten most of them except for Content Security Policies, I honestly can’t find a simplified way to apply a CSP to 20+ docker applications and hope folks of Lemmy know the best way to go about this.

I want to note that I never worked with headers in the past, I tried interpreting the Traefik documentation and Mozilla documentation as well as a bunch of random YT videos but can’t seem to get it right.

    headers:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: https
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
        customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
        contentTypeNosniff: true
        browserXssFilter: true
        contentSecurityPolicy: ""
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), usb=()"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
          server: "traefik"

#selfhosted

threaded - newest

mhzawadi@lemmy.horwood.cloud on 02 Aug 08:00 next collapse

your in luck, I have been doing this at work.

First have a look at the report header Content-Security-Policy-Report-Only add things you know about, as that will allow you to log what you need to have setup. Then once you have a list of things you know you need, add them and what the logs again. adding in things as you see and verify them.

Also dont just add things in without checking that its in your code, you dont want to add hack-me.com by mistake.

elvith@feddit.org on 02 Aug 09:00 next collapse

Do you happen to know of any self hosted report-ingestion, that allows me to check my csp and somewhat visualize them? I know there are services like report-uri and such, but they do cost a monthly fee and probably also have a privacy impact for my visitors

mhzawadi@lemmy.horwood.cloud on 02 Aug 09:16 next collapse

Sorry I dont, but our devs have some PHP to log requests to a file. On Monday will see if I can get that and make a docker image you can run

forbiddenlake@lemmy.world on 03 Aug 02:22 next collapse

I looked in to this a while back and didn’t find anything complete. I ended up using a collector and feeding the reports in to my existing Loki and making my own Grafana dashboard.

mhzawadi@lemmy.horwood.cloud on 04 Aug 07:11 collapse

I have started on a docker image that will allow you to collect the CSP reports 👉 github.com/mhzawadi/docker-csp-report

Its not working just yet, will work it this week

ohshit604@sh.itjust.works on 03 Aug 17:42 collapse

First have a look at the report header Content-Security-Policy-Report-Only add things you know about, as that will allow you to log what you need to have setup. Then once you have a list of things you know you need, add them and what the logs again. adding in things as you see and verify them.

Thank you for this! I feel as if I got the idea however, failed on the execution. I added this to my routers.yml -

        contentSecurityPolicyReportOnly: "child-src; connect-src; default-src; font-src; frame-src; img-src; manifest-src; media-src; object-src; script-src; script-src-elem; script-src-attr; style-src; style-src-elem; style-src-attr; worker-src; report-to csp-report"

To my understanding the report-to directive at the end adds a endpoint called /csp-report yet in my testing it doesn’t appear to exist and just leads to 403, I’m likely doing something totally wrong but I appreciate you pointing me in the right direction!

Also dont just add things in without checking that its in your code, you dont want to add hack-me.com by mistake.

That’s fair, I’m certainly no wiz at programming and this is just self-hosted docker applications that I’ve jerry-rigged to work with one another.

mhzawadi@lemmy.horwood.cloud on 03 Aug 18:00 collapse

Yeah that’s the gist, there need to be something on the end of /csp-report or it won’t work.

Will have a look and see if I can make something

Cyberflunk@lemmy.world on 02 Aug 14:47 next collapse

I started with this in 2021 mgdm.net/weblog/csp-logging-with-nginx/

At some point in 2024 i got Claude to take over this management. Now i have an agent that maintains this workflow, and all csp reports are in nginx/json

possiblylinux127@lemmy.zip on 03 Aug 08:31 next collapse

Is scripting an option? You could script adding the header.

mhzawadi@lemmy.horwood.cloud on 08 Aug 07:55 collapse

this just in 👉 hub.docker.com/r/mhzawadi/csp-report

ohshit604@sh.itjust.works on 08 Aug 12:29 collapse

Ah bless!

I’ve been using Firefox extensions to make up my CSP’s and so far it’s been an absolute nightmare! Thank you for this tool!

mhzawadi@lemmy.horwood.cloud on 08 Aug 12:30 collapse

will be adding it to my setup on Tuesday, so will see how well it works in anger

ohshit604@sh.itjust.works on 08 Aug 13:01 collapse

Is there any special configuration needed for it? Env variables, network interface, volumes & config files, etc?

I plan to set this up in a docker-compose file later this afternoon once I get some free time.

mhzawadi@lemmy.horwood.cloud on 08 Aug 13:03 collapse

theres no config for it, it listens on port 8080. I need to expose the logs dir, but not done that yet. So all the logs will only be in the container, but you could point a mount at /var/www/html/logs

ohshit604@sh.itjust.works on 08 Aug 23:54 collapse

Hey there! Following up on this, i got your application started however, it seems that this is more for folks who actually know PHP an HTML and less for folks like myself who just find Docker applications (Invidious, Homepage, RedLib) spin them up and rig them to work with one another so i don’t think this will work for me personally at the moment in time regardless seems like a great tool nonetheless!

Thanks again!

mhzawadi@lemmy.horwood.cloud on 09 Aug 07:41 collapse

Oh, you shouldn’t need to do anything other then point a site at it.

Will update the readme when I get home

Edit: thanks for the feedback

ohshit604@sh.itjust.works on 09 Aug 16:19 collapse

Okay so going at it again, i think i now understand the reason for the Docker label now, here is my current docker-compose.yml i made some tweaks to the one from your github but i can’t seem to get a log file to generate.

I suspected it was a permissions issue on the volume mount so i ran chmod 777 on the ./config/csp directory but still wont get a log file.

Volume directory permissions:

user@debian:~/compose$ ls config/ | grep csp; ls config/csp/; ls config/csp/logs/
drwxrwxrwx  3 user user 4096 Aug  9 09:11 csp
total 12
drwxrwxrwx  3 user user 4096 Aug  9 09:11 .
drwxr-xr-x 44 user user 4096 Aug  8 16:41 ..
drwxrwxrwx  2 user user 4096 Aug  9 09:04 logs
total 8
drwxrwxrwx 2 user user 4096 Aug  9 09:04 .
drwxrwxrwx 3 user user 4096 Aug  9 09:11 ..

docker-compose.yml:

  csp-report:
    image: mhzawadi/csp-report
    networks:
      main:
        ipv4_address: 172.18.0.38
    #ports:
     # - "8432:8080"
    ports:
      - target: 8080
        published: 8432
        mode: host
    container_name: csp-report
    environment:
      - TZ=America/Vancouver
    labels:
      - "csp_report.url=192.168.1.199:3000"
    volumes:
      - ./config/csp/logs:/var/www/html/logs

Logs from the docker container:

user@debian:~/compose$ sudo docker compose up -d csp-report --force-recreate; sudo docker logs csp-report -f
WARN[0000] The "POSTGRES_DB" variable is not set. Defaulting to a blank string. 
[+] Running 1/1
 ✔ Container csp-report  Started                                                                                                             0.5s 
/config/start.sh: Launching Unit daemon to perform initial configuration...
2025/08/09 16:21:18 [info] 12#12 unit 1.34.1 started
2025/08/09 16:21:18 [info] 14#14 discovery started
BusyBox v1.37.0 (2025-08-05 16:42:11 UTC) multi-call binary.

Usage: seq [-w] [-s SEP] [FIRST [INC]] LAST

Print numbers from FIRST to LAST, in steps of INC.
FIRST, INC default to 1.

        -w      Pad with leading zeros
        -s SEP  String separator
2025/08/09 16:21:18 [notice] 14#14 module: php 8.4.2 "/usr/lib/unit/modules/php84.unit.so"
2025/08/09 16:21:18 [info] 13#13 controller started
2025/08/09 16:21:18 [notice] 13#13 process 14 exited with code 0
2025/08/09 16:21:18 [info] 18#18 router started
2025/08/09 16:21:18 [info] 18#18 OpenSSL 3.3.4 1 Jul 2025, 30300040
{
        "certificates": {},
        "config": {
                "listeners": {},
                "routes": [],
                "applications": {}
        },

        "status": {
                "modules": {