How do you configure CSP on 20+ applications ?

Submitted ⁨⁨1⁩ ⁨week⁩ ago⁩ by ⁨ohshit604@sh.itjust.works⁩ to ⁨selfhosted@lemmy.world⁩

I’ve been working on adding security headers to my reverse proxy and so far I believe to have gotten most of them except for Content Security Policies, I honestly can’t find a simplified way to apply a CSP to 20+ applications and hope folks of Lemmy know the best way to go about this.

    headers:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: https
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
        customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
        contentTypeNosniff: true
        browserXssFilter: true
        contentSecurityPolicy: ""
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), usb=()"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
          server: "traefik"

source

Comments

Sort:hotnew top

Cyberflunk@lemmy.world ⁨1⁩ ⁨week⁩ ago
I started with this in 2021 mgdm.net/weblog/csp-logging-with-nginx/

At some point in 2024 i got Claude to take over this management. Now i have an agent that maintains this workflow, and all csp reports are in nginx/json

source
possiblylinux127@lemmy.zip ⁨6⁩ ⁨days⁩ ago
Is scripting an option? You could script adding the header.

source