Selfhosted

53890 readers

617 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

How do you configure CSP headers on 20+ applications ? (sh.itjust.works)

submitted 4 months ago* (last edited 4 months ago) by ohshit604@sh.itjust.works to c/selfhosted@lemmy.world

17 comments fedilink hide all child comments

I’ve been working on adding security headers to my reverse proxy and so far I believe to have gotten most of them except for Content Security Policies, I honestly can’t find a simplified way to apply a CSP to 20+ docker applications and hope folks of Lemmy know the best way to go about this.

I want to note that I never worked with headers in the past, I tried interpreting the Traefik documentation and Mozilla documentation as well as a bunch of random YT videos but can’t seem to get it right.

    headers:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: https
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
        customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
        contentTypeNosniff: true
        browserXssFilter: true
        contentSecurityPolicy: ""
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), usb=()"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," # disable search engines from indexing home server
          server: "traefik"

you are viewing a single comment's thread
view the rest of the comments

[–] mhzawadi@lemmy.horwood.cloud 1 points 4 months ago* (last edited 4 months ago) (1 children)

Oh, you shouldn't need to do anything other then point a site at it.

Will update the readme when I get home

Edit: thanks for the feedback

[–] ohshit604@sh.itjust.works 0 points 4 months ago* (last edited 4 months ago)

Okay so going at it again, i think i now understand the reason for the Docker label now, here is my current docker-compose.yml i made some tweaks to the one from your github but i can't seem to get a log file to generate.

I suspected it was a permissions issue on the volume mount so i ran chmod 777 on the ./config/csp directory but still wont get a log file.

Volume directory permissions:

user@debian:~/compose$ ls config/ | grep csp; ls config/csp/; ls config/csp/logs/
drwxrwxrwx  3 user user 4096 Aug  9 09:11 csp
total 12
drwxrwxrwx  3 user user 4096 Aug  9 09:11 .
drwxr-xr-x 44 user user 4096 Aug  8 16:41 ..
drwxrwxrwx  2 user user 4096 Aug  9 09:04 logs
total 8
drwxrwxrwx 2 user user 4096 Aug  9 09:04 .
drwxrwxrwx 3 user user 4096 Aug  9 09:11 ..

docker-compose.yml:

  csp-report:
    image: mhzawadi/csp-report
    networks:
      main:
        ipv4_address: 172.18.0.38
    #ports:
     # - "8432:8080"
    ports:
      - target: 8080
        published: 8432
        mode: host
    container_name: csp-report
    environment:
      - TZ=America/Vancouver
    labels:
      - "csp_report.url=192.168.1.199:3000"
    volumes:
      - ./config/csp/logs:/var/www/html/logs

Logs from the docker container:

user@debian:~/compose$ sudo docker compose up -d csp-report --force-recreate; sudo docker logs csp-report -f
WARN[0000] The "POSTGRES_DB" variable is not set. Defaulting to a blank string. 
[+] Running 1/1
 ✔ Container csp-report  Started                                                                                                             0.5s 
/config/start.sh: Launching Unit daemon to perform initial configuration...
2025/08/09 16:21:18 [info] 12#12 unit 1.34.1 started
2025/08/09 16:21:18 [info] 14#14 discovery started
BusyBox v1.37.0 (2025-08-05 16:42:11 UTC) multi-call binary.

Usage: seq [-w] [-s SEP] [FIRST [INC]] LAST

Print numbers from FIRST to LAST, in steps of INC.
FIRST, INC default to 1.

        -w      Pad with leading zeros
        -s SEP  String separator
2025/08/09 16:21:18 [notice] 14#14 module: php 8.4.2 "/usr/lib/unit/modules/php84.unit.so"
2025/08/09 16:21:18 [info] 13#13 controller started
2025/08/09 16:21:18 [notice] 13#13 process 14 exited with code 0
2025/08/09 16:21:18 [info] 18#18 router started
2025/08/09 16:21:18 [info] 18#18 OpenSSL 3.3.4 1 Jul 2025, 30300040
{
        "certificates": {},
        "config": {
                "listeners": {},
                "routes": [],
                "applications": {}
        },

        "status": {
                "modules": {
                        "php": {
                                "version": "8.4.2",
                                "lib": "/usr/lib/unit/modules/php84.unit.so"
                        }
                },

                "connections": {
                        "accepted": 0,
                        "active": 0,
                        "idle": 0,
                        "closed": 0
                },

                "requests": {
                        "total": 0
                },

                "applications": {}
        }
}
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
2025/08/09 16:21:18 [info] 20#20 "csp_report" prototype started
2025/08/09 16:21:18 [info] 21#21 "csp_report" application started
{
        "success": "Reconfiguration done."
}
100   413  100    43  100   370   2808  24162 --:--:-- --:--:-- --:--:-- 27533
/config/start.sh: Stopping Unit daemon after initial configuration...
2025/08/09 16:21:18 [notice] 13#13 process 17 exited with code 0
2025/08/09 16:21:18 [notice] 20#20 app process 21 exited with code 0
2025/08/09 16:21:18 [alert] 20#20 sendmsg(13, -1, -1, 2) failed (32: Broken pipe)
2025/08/09 16:21:18 [notice] 13#13 process 18 exited with code 0
2025/08/09 16:21:18 [notice] 13#13 process 20 exited with code 0
BusyBox v1.37.0 (2025-08-05 16:42:11 UTC) multi-call binary.

Usage: seq [-w] [-s SEP] [FIRST [INC]] LAST

Print numbers from FIRST to LAST, in steps of INC.
FIRST, INC default to 1.


/config/start.sh: Unit initial configuration complete; ready for start up...

        -w      Pad with leading zeros
        -s SEP  String separator
2025/08/09 16:21:18 [info] 1#1 unit 1.34.1 started
2025/08/09 16:21:18 [info] 31#31 discovery started
2025/08/09 16:21:18 [notice] 31#31 module: php 8.4.2 "/usr/lib/unit/modules/php84.unit.so"
2025/08/09 16:21:18 [info] 1#1 controller started
2025/08/09 16:21:18 [notice] 1#1 process 31 exited with code 0
2025/08/09 16:21:18 [info] 33#33 router started
2025/08/09 16:21:18 [info] 33#33 OpenSSL 3.3.4 1 Jul 2025, 30300040
2025/08/09 16:21:18 [info] 34#34 "csp_report" prototype started
2025/08/09 16:21:18 [info] 35#35 "csp_report" application started
127.0.0.1 - - [09/Aug/2025:16:21:23 +0000] "POST / HTTP/1.1" 200 7 "-" "curl/8.12.1"