NGINX Security Headers

Xela

Well-Known Member
Oct 12, 2017
98
2
48
Hi there,
I implemented today successful the security headers for:

• X-Content-Type-Options
• X-XSS-Protection
• Referrer-Policy
• Strict-Transport-Security

But the last two headers Content-Security-Policy and X-Frame-Options break my head all afternoon.
For X-Frame-Options I tried all possibilities but it seems while setting this the shell is not working anymore, the same for the Content-Security-Policy. Is there a recommendation for these two headers for Proxmox?
 
X-Frame-Options
SAMEORIGIN the shell is gray nothing happens
ALLOW-FROM https://example.com/
I tried localhost, localhost:8006, 127.0.0.1, 127.0.0.1:8006, also port 5900, URL, Public IP etc.
Everytime when I enable that header the shell in Proxmox stays gray, have to disable that header again.
 
Hey,

I know it's a little bit late but in case anyone is seeing this who is having the same problem:
I had the same problem today and found a Solution. When defining the 'Content-Security-Policy' you have to make sure you're setting the two values 'unsafe-eval' and 'unsafe-inline' in order to access Proxmox.

My Complete CSP String:
default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' fonts.gstatic.com data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';

From this point on you should be able to access Proxmox.
The next problem I had was: I couldn't connect to the NoVNC Consoles.
Make sure you've set these 3 Parameters in your location{} part:
proxy_set_header Host $host;
proxy_set_header Connection "";
proxy_set_header Upgrade $http_upgrade;

If anyone needs some more help or wants to see my complete NGINX Configuration, please let me know.
 
greetings...

¿How do I define the 'Content Security Policy' for proxmox?

¿in which part should I look to define the CSP?

Thanks.
 
Hi!

I believe nginx and haproxy as reverse proxies, will allow you to add or replace headers, including CSP.

Thanks