[ENHANCEMENTS] Add Security Headers // Presets // Checkboxes

[Nazgile94]

Im not Firm with Github , so pls be kind to me =D

#151 (comment)

Default Security Headers would be nice to implement // maybe let users choice trough checkboxes wich headers should be enabled for proxyhost xyz + empty fields to maybe enter own security headers like content security polices etc.

or some presets that user can just click trough "checkboxes".

security headers on npm are buggy and needed to set trough advanced / location settings. - no problem, but annoying haha -
so have an working alternative would be +1

like:

client_body_buffer_size (value);
proxy_read_timeout (value)s;
client_max_body_size (value);

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;

http forward, websocket etc etc.

my jellyfin for example:

client_max_body_size 20M;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
add_header X-Content-Type-Options "nosniff";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location / {
# Proxy main Jellyfin traffic
proxy_pass http://$jellyfin:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
location /socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://$jellyfin:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}

have this as checkboxes and maybe advanced field with a field to insert them manually would be <3 and i will switch to zoraxy.

edit -- dk how to insert an code block, without let hashtags to be written fat.^^

[Morethanevil]

@Nazgile94

If you want a multiline code block than use ` three times before the codeblock and three times at the end of the codeblock

Security headers would be cool build like a submenu 🤔

An On/Off switch for all headers or switches for every single one if you don't need all at once or want to troubleshoot

[Nazgile94]

@Nazgile94

If you want a multiline code block than use ` three times before the codeblock and three times at the end of the codeblock

Security headers would be cool build like a submenu 🤔

An On/Off switch for all headers or switches for every single one if you don't need all at once or want to troubleshoot

worked! thanks :D

toggles like on of switch would be nice
but a custom option to insert own or maybe missing headers is nessesary i think, bcs i dont think ALL possible headers can be implemented :D but the basic stuff would be nice like u said - for troubleshooting just turn off one by another to troubleshoot stuff.

tooks my hours to figure out, why i cant access my jellyfon on LG tv bcs not supported header on webOS tvs...

NPM is a DIVA with setting up headers, bcs bug: NginxProxyManager/nginx-proxy-manager#3478 (comment)

sry for typos etc-not my native language. just school english and diablo 2 long time ago.^^

[Morethanevil]

Jellyfin runs in docker but with hostmode for me, Zoraxy (running directly on host) points to localhost:ip

I don't use additional headers for Jellyfin, but I don't use a LG TV too. Has it Android TV? The Jellyfin Android TV should work out of the box.

But adding additional headers is not a bad idea. It is possible right now, but a switch for the most common headers would make it easier.

[Nazgile94]

Jellyfin runs in docker but with hostmode for me, Zoraxy (running directly on host) points to localhost:ip

I don't use additional headers for Jellyfin, but I don't use a LG TV too. Has it Android TV? The Jellyfin Android TV should work out of the box.

But adding additional headers is not a bad idea. It is possible right now, but a switch for the most common headers would make it easier.

nope, the webOS jellyfin app is strange and kind of old.
its a bug

the default x-frame option header.

my jellyfin is public avaliable for friends, so i have always a little "security" in mind, better more than less :D

im running jellyfin on unraid and npm on proxmox in LXC container - pointing to unraid IP + jellyfin exposed port.

[tobychui]

Feature added in v3.0.7. You can now go to Custom Headers and create your own HSTS & (limited version of) Permission-Policy with a web form.