dunkirk.sh / indiko
my own indieAuth provider! indiko.dunkirk.sh/docs
indieauth oauth2-server
6
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: add csp headers

Kieran Klukas 73dc5e55 07a4e03c

+68
+68
README.md
··· 129 129 - `PUT /api/admin/clients/:clientId` - Update client 130 130 - `DELETE /api/admin/clients/:clientId` - Delete client 131 131 132 + ## Production Deployment 133 + 134 + ### Reverse Proxy Configuration 135 + 136 + Indiko should be deployed behind a reverse proxy (nginx, Caddy, Traefik) for production use. The proxy should add security headers. 137 + 138 + #### nginx Example 139 + 140 + ```nginx 141 + server { 142 + listen 443 ssl http2; 143 + server_name auth.example.com; 144 + 145 + ssl_certificate /path/to/cert.pem; 146 + ssl_certificate_key /path/to/key.pem; 147 + 148 + # Security headers 149 + add_header X-Frame-Options "DENY" always; 150 + add_header X-Content-Type-Options "nosniff" always; 151 + add_header X-XSS-Protection "1; mode=block" always; 152 + add_header Referrer-Policy "strict-origin-when-cross-origin" always; 153 + add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; 154 + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; 155 + 156 + # Content Security Policy 157 + add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; script-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always; 158 + 159 + location / { 160 + proxy_pass http://localhost:3000; 161 + proxy_set_header Host $host; 162 + proxy_set_header X-Real-IP $remote_addr; 163 + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 164 + proxy_set_header X-Forwarded-Proto $scheme; 165 + } 166 + } 167 + ``` 168 + 169 + #### Caddy Example 170 + 171 + ```caddy 172 + auth.example.com { 173 + reverse_proxy localhost:3000 174 + 175 + header { 176 + X-Frame-Options "DENY" 177 + X-Content-Type-Options "nosniff" 178 + X-XSS-Protection "1; mode=block" 179 + Referrer-Policy "strict-origin-when-cross-origin" 180 + Permissions-Policy "geolocation=(), microphone=(), camera=()" 181 + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" 182 + Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; script-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" 183 + } 184 + } 185 + ``` 186 + 187 + ### Security Headers Explained 188 + 189 + - **X-Frame-Options**: Prevents clickjacking attacks 190 + - **X-Content-Type-Options**: Prevents MIME-sniffing 191 + - **X-XSS-Protection**: Enables browser XSS filter 192 + - **Referrer-Policy**: Controls referrer information 193 + - **Permissions-Policy**: Restricts browser features 194 + - **Strict-Transport-Security**: Enforces HTTPS 195 + - **Content-Security-Policy**: Prevents XSS and data injection attacks 196 + 197 + > [!NOTE] 198 + > The CSP allows Google Fonts and user-provided profile images (`img-src https:`). Adjust based on your security requirements. 199 + 132 200 ## Development 133 201 134 202 ```bash