So I’ve decided to come away from the DuckDNS setup I had and have moved over to my own domain using cloudflare and the Nginx Proxy Manager
This setup works perfectly but I want it to be as secure as possible
Doing tests on my domain I get the following missing HTTP Headers:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
I would like to solve this so after some googling I came across the following code:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
add_header Content-Security-Policy "default-src 'self' https://.elementor.com https://.google.com; font-src 'self' data: https://.googleapis.com https://.gstatic.com; img-src 'self' data: https://i.imgur.com https://.gravatar.com https://.elementor.com; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' data: https://.googleapis.com; script-src-elem 'self' 'unsafe-inline' https://.cloudflare.com; frame-src 'self' https://.youtube.com https://.google.com;";
I thought I could just put this in “Proxy Host/Advanced/Custom Nginx Configuration” but it didn’t do anything
So after some playing I found if I put it in “Proxy Host/Custom Locations” with a location path of “/” it does work and on the home assistant login page the HTTP Headers is perfect but I get the cannot connect to home assistant screen instead
So I hope someone can point me in the right direction of getting the best of both worlds, gettings home assistant to work with the headers fixed…
Hello Liam
Have you figured this out?
I’m trying to do the same.
I have found that these work:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "strict-origin";
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self)";
But as soon as I add the Content-Security-Policy header I also can’t login (blank page).
This is my header:
add_header Content-Security-Policy "default-src 'self';";
also tried with this:
add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
I was able to get this working by entering the following in the Advance → Custom Nginx Configuration. You can add or remove whatever you don’t need.
location /
{
# Force SSL
include conf.d/include/force-ssl.conf;
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Robots-Tag none;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self)";
add_header 'Referrer-Policy' 'same-origin';
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
# Proxy!
include conf.d/include/proxy.conf;
}
Hopefully that helps
3 Likes