nginx Security Headers Config... missing custom??

Started by shanelord, July 31, 2023, 03:14:52 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 31, 2023, 03:14:52 AM Last Edit: August 02, 2023, 02:42:23 AM by shanelord
I'm trying to get my security headers to be A+ via https://securityheaders.com/

At the moment I'm getting an A (info below).

The main issue - no way to set the Permissions-Policy

Am I missing the way to add custom entries into the Security Headers in the GUI?

I've opened an issue on the OPNsense Github

Thanks,
Shane.

---
How I get an A (your needs may vary):

1. Create or edit the default security header under "HTTP(S)/Security Headers".

General Tab
1. Set Referrer to "No Referrer"
2. Set XSS Protection to "Block"
3. Set Content Security Policy (CSP) to "Enable"

Default Source, Script, Image, Stylesheet, Media, Font, Worker and Form Tabs
1. Set to Enable
Everything else leave as default

Frame Tab
Frame Source
1. Set to Enable
2. Tick to Enable Same Origin (recommended)
Frame Ancestors
1. Set to Enable
2. Tick to Enable Same Origin (recommended)

Websockets
Leave as default

2. Add the new Security Header to your HTTP Server under "HTTP(S)/HTTP Server"
- Edit your server, and at the very bottom under "Security Header" select your new security header and save it.
Print
Go Up Pages1
User actions