this post was submitted on 02 Aug 2025
14 points (93.8% liked)

Selfhosted

50029 readers
510 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
14
How do you configure CSP headers on 20+ applications ? (sh.itjust.works)
submitted 11 hours ago* (last edited 8 hours ago) by ohshit604@sh.itjust.works to c/selfhosted@lemmy.world
4 comments fedilink hide all child comments
 

I’ve been working on adding security headers to my reverse proxy and so far I believe to have gotten most of them except for Content Security Policies, I honestly can’t find a simplified way to apply a CSP to 20+ docker applications and hope folks of Lemmy know the best way to go about this.

I want to note that I never worked with headers in the past, I tried interpreting the Traefik documentation and Mozilla documentation as well as a bunch of random YT videos but can’t seem to get it right.

    headers:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: https
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
        customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
        contentTypeNosniff: true
        browserXssFilter: true
        contentSecurityPolicy: ""
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), usb=()"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
          server: "traefik"
top 4 comments
sorted by: hot top controversial new old
[–] Cyberflunk@lemmy.world 0 points 2 hours ago

I started with this in 2021 https://mgdm.net/weblog/csp-logging-with-nginx/

At some point in 2024 i got Claude to take over this management. Now i have an agent that maintains this workflow, and all csp reports are in nginx/json

[–] mhzawadi@lemmy.horwood.cloud 7 points 9 hours ago (1 children)

your in luck, I have been doing this at work.

First have a look at the report header Content-Security-Policy-Report-Only add things you know about, as that will allow you to log what you need to have setup. Then once you have a list of things you know you need, add them and what the logs again. adding in things as you see and verify them.

Also dont just add things in without checking that its in your code, you dont want to add hack-me.com by mistake.

[–] elvith@feddit.org 2 points 8 hours ago (1 children)

Do you happen to know of any self hosted report-ingestion, that allows me to check my csp and somewhat visualize them? I know there are services like report-uri and such, but they do cost a monthly fee and probably also have a privacy impact for my visitors

[–] mhzawadi@lemmy.horwood.cloud 1 points 8 hours ago* (last edited 8 hours ago)

Sorry I dont, but our devs have some PHP to log requests to a file. On Monday will see if I can get that and make a docker image you can run