Hi there, I implemented today successful the security headers for: • X-Content-Type-Options • X-XSS-Protection • Referrer-Policy • Strict-Transport-Security But the last two headers Content-Security-Policy and X-Frame-Options break my head all afternoon. For X-Frame-Options I tried all possibilities but it seems while setting this the shell is not working anymore, the same for the Content-Security-Policy. Is there a recommendation for these two headers for Proxmox?
X-Frame-Options SAMEORIGIN the shell is gray nothing happens ALLOW-FROM https://example.com/ I tried localhost, localhost:8006, 127.0.0.1, 127.0.0.1:8006, also port 5900, URL, Public IP etc. Everytime when I enable that header the shell in Proxmox stays gray, have to disable that header again.
Hey, I know it's a little bit late but in case anyone is seeing this who is having the same problem: I had the same problem today and found a Solution. When defining the 'Content-Security-Policy' you have to make sure you're setting the two values 'unsafe-eval' and 'unsafe-inline' in order to access Proxmox. My Complete CSP String: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' fonts.gstatic.com data:; media-src *; connect-src *; object-src 'none'; base-uri 'self'; From this point on you should be able to access Proxmox. The next problem I had was: I couldn't connect to the NoVNC Consoles. Make sure you've set these 3 Parameters in your location{} part: proxy_set_header Host $host; proxy_set_header Connection ""; proxy_set_header Upgrade $http_upgrade; If anyone needs some more help or wants to see my complete NGINX Configuration, please let me know.
