2024-08-23, 09:47 PM
(This post was last modified: 2024-08-23, 09:49 PM by TheDreadPirate. Edited 1 time in total.)
(2024-08-23, 07:47 PM)keklol Wrote: add_header X-XSS-Protection "1; mode=block" always;
Enabling this header is no longer needed. And is actually problematic as it creates attack vectors.
From our docs, there is this comment.
Code:
add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerousEchoed by Mozilla and others.
https://developer.mozilla.org/en-US/docs...Protection
https://support.okta.com/help/s/article/...uage=en_US
This header can help very old browsers be more secure, but other security settings, including the ones in your post, are not compatible with those old browsers and operating systems that would benefit from enabling X-XSS-Protection. Such as the use of TLS 1.2 and 1.3 exclusively, the default for Nginx Proxy Manager.
(2024-08-23, 07:54 PM)keklol Wrote: Adding this as well since i know lots of people have issues with that:
Syncplay not working behind nginx reverse proxy
https://www.reddit.com/r/jellyfin/commen...rse_proxy/
Simply flipping on "Websocket support" is enough to cover Jellyfin's use of websockets. Since we're talking about Nginx Proxy Manager, and not plain Nginx.
Jellyfin 10.10.0 (Docker)
Ubuntu 24.04 LTS
Intel i3 12100
Intel Arc A380
OS drive - SK Hynix P41 1TB
Storage
3x WD Red Pro 6TB CMR in RAIDZ1 (JF Library)
![[Image: GitHub%20Sponsors-grey?logo=github]](https://img.shields.io/badge/GitHub%20Sponsors-grey?logo=github)
Ubuntu 24.04 LTS
Intel i3 12100
Intel Arc A380
OS drive - SK Hynix P41 1TB
Storage
3x WD Red Pro 6TB CMR in RAIDZ1 (JF Library)