So I’ve decided to come away from the DuckDNS setup I had and have moved over to my own domain using cloudflare and the Nginx Proxy Manager
This setup works perfectly but I want it to be as secure as possible
Doing tests on my domain I get the following missing HTTP Headers:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
I would like to solve this so after some googling I came across the following code:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
add_header Content-Security-Policy "default-src 'self' https://.elementor.com https://.google.com; font-src 'self' data: https://.googleapis.com https://.gstatic.com; img-src 'self' data: https://i.imgur.com https://.gravatar.com https://.elementor.com; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' data: https://.googleapis.com; script-src-elem 'self' 'unsafe-inline' https://.cloudflare.com; frame-src 'self' https://.youtube.com https://.google.com;";
I thought I could just put this in “Proxy Host/Advanced/Custom Nginx Configuration” but it didn’t do anything
So after some playing I found if I put it in “Proxy Host/Custom Locations” with a location path of “/” it does work and on the home assistant login page the HTTP Headers is perfect but I get the cannot connect to home assistant screen instead
So I hope someone can point me in the right direction of getting the best of both worlds, gettings home assistant to work with the headers fixed…
1 post - 1 participant