Setting HTTPS headers

[damo2929]

HI all,

proxmox has been pulled up on our internal pen test for not having security headers set on the web interface. making the application vulnerable to clickjacking.
as such what file needs adjusting to add and set X-Frame-Options and Content-Security-Policy response headers.

 

[Max Carrara]

Hi!

As far as I'm aware, we currently do not support setting custom HTTP headers. If you wish, you can file a feature request on our Bugzilla.

It's most likely better to use a reverse proxy in front of PVE for such requirements. We do have a rudimentary guide on how to set up Nginx for that purpose on our Wiki, but there should be other resources out there for e.g. Caddy, Traefik, etc. if you give it a quick search.

(Also, if I may suggest an idea: If you have multiple web services running in your organisation, it might be favourable for you to put all of them behind a reverse proxy so that you may enforce such policies across the board and have a more localised configuration in that regard. Not sure if this helps or is applicable on your end, but I wanted to mention it regardless.)

Hope that helps!