2024-08-23, 09:47 PM
(This post was last modified: 2024-08-23, 09:49 PM by TheDreadPirate. Edited 1 time in total.)
(2024-08-23, 07:47 PM)keklol Wrote: add_header X-XSS-Protection "1; mode=block" always;
Enabling this header is no longer needed. And is actually problematic as it creates attack vectors.
From our docs, there is this comment.
Code:
add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
Echoed by Mozilla and others.
https://developer.mozilla.org/en-US/docs...Protection
https://support.okta.com/help/s/article/...uage=en_US
This header can help very old browsers be more secure, but other security settings, including the ones in your post, are not compatible with those old browsers and operating systems that would benefit from enabling X-XSS-Protection. Such as the use of TLS 1.2 and 1.3 exclusively, the default for Nginx Proxy Manager.
(2024-08-23, 07:54 PM)keklol Wrote: Adding this as well since i know lots of people have issues with that:
Syncplay not working behind nginx reverse proxy
https://www.reddit.com/r/jellyfin/commen...rse_proxy/
Simply flipping on "Websocket support" is enough to cover Jellyfin's use of websockets. Since we're talking about Nginx Proxy Manager, and not plain Nginx.