[Reverse Proxy] - Content Security Policy

#1

Hello Ladies and Gents,

I am trying to get better CSP with the Jellyfin installation as I have it exposed to the interwebs. I have done this with my Emby Server as well as with Plex, tho, with Plex it’s quite difficult to get a decent (IMO passing score) without changing some files (typically .js files) by hand. Anyway, after the initial JF installation and reverse proxying you’ll more or less receive a terrible score, as it is expected.
I am using OPNSense + HAProxy and use https://observatory.mozilla.org/analyze/ to analyze my site.

Before:

After adding these to the backend:

#Working
rspidel ^Server:.*$
rspidel ^X-Powered-By:.*$
rspidel ^X-AspNet-Version:.*$

http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-XSS-Protection "1;mode=block"
http-response set-header Referrer-Policy "no-referrer,same-origin,strict-origin,strict-origin-when-cross-origin"
http-response set-header X-Content-Type-Options nosniff
http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload

you’ll get a better B score.(would post the picture but new users can only post one pic at a time)
With my Emby forward I am able to achieve an A+ by adding the following

http-response set-header Content-Security-Policy  "default-src 'none'; font-src 'self'; connect-src 'self' wss: ws: https://mb3admin.com; media-src 'self' blob: data:; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self'  https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self'" 

in JF you’ll wont be able to login because of

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://www.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-bSrazxUEQXAkT/qZZh+i/hL5M29C6fgiHph1RDxrxFA='), or a nonce ('nonce-...') is required to enable inline execution.

This can only be fixed with in changing your inline script i suppose, or with me changing my CSP.
Apploader.js is the script in question

   <script>window.dashboardVersion='10.3.1';</script><script src="scripts/apploader.js?v=10.3.1" defer></script></body>
#2

Thanks for the info, good to know.

How much time are you using Opnsense and jelly?

#3

what do you mean. I have been using OPNSense +LetsEncrypt + HAproxy and Emby/Jellyfin/plex for about 3 years by now, and it works quite great!

#4

Oh, a veteran on this… thanks man.

#5

Not sure if i consider myself a veteran, but if you have question i will try to answer :smiley:

#6

Thanks, are you used traefik?

Am trying to reverse proxy on it,with jelly and emby unlocked, on docker.