Hello Ladies and Gents,
I am trying to get better CSP with the Jellyfin installation as I have it exposed to the interwebs. I have done this with my Emby Server as well as with Plex, tho, with Plex it’s quite difficult to get a decent (IMO passing score) without changing some files (typically .js files) by hand. Anyway, after the initial JF installation and reverse proxying you’ll more or less receive a terrible score, as it is expected.
I am using OPNSense + HAProxy and use https://observatory.mozilla.org/analyze/ to analyze my site.
After adding these to the backend:
#Working rspidel ^Server:.*$ rspidel ^X-Powered-By:.*$ rspidel ^X-AspNet-Version:.*$ http-response set-header X-Frame-Options SAMEORIGIN http-response set-header X-XSS-Protection "1;mode=block" http-response set-header Referrer-Policy "no-referrer,same-origin,strict-origin,strict-origin-when-cross-origin" http-response set-header X-Content-Type-Options nosniff http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload
you’ll get a better B score.(would post the picture but new users can only post one pic at a time)
With my Emby forward I am able to achieve an A+ by adding the following
http-response set-header Content-Security-Policy "default-src 'none'; font-src 'self'; connect-src 'self' wss: ws: https://mb3admin.com; media-src 'self' blob: data:; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self'"
in JF you’ll wont be able to login because of
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://www.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-bSrazxUEQXAkT/qZZh+i/hL5M29C6fgiHph1RDxrxFA='), or a nonce ('nonce-...') is required to enable inline execution.
This can only be fixed with in changing your inline script i suppose, or with me changing my CSP.
Apploader.js is the script in question
<script>window.dashboardVersion='10.3.1';</script><script src="scripts/apploader.js?v=10.3.1" defer></script></body>