toomuchio
commented
5 years ago This config does not inject a CSP, the Plex app may have it's own and I don't want to conflict with it or have to constantly update it when they change things.
Closed ma-karai closed 5 years ago
toomuchio
commented
5 years ago This config does not inject a CSP, the Plex app may have it's own and I don't want to conflict with it or have to constantly update it when they change things.
ma-karai
commented
5 years ago Well, the plex app doesn't after installing you get a score of F, it's quite horrible tbh. So I was wondering how people who have reverse proxies handle it.
toomuchio
commented
5 years ago If you want to add a CSP you can but I wont be adding one to the upstream because it'll likely break things. You can always deny the web interface externally and force your users to app.plex.tv which does have a CSP last I checked.
ma-karai
commented
5 years ago Alrighty, thanks for your input. On a side note the csp of app.plex.tv is also quite horrendous https://observatory.mozilla.org/analyze/app.plex.tv
ghost
commented
5 years ago My fork contains some extra headers including CSP which give a C on observatory and A+ on securityheaders.com. For an A+ on observatory a correct CORS and SRI config is required too.
Headers for CSP:
# https://securityheaders.com - A+ certification using headers below
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy no-referrer always;
add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://plex.tv https://*.plex.direct:* wss://*.plex.direct:* wss://pubsub.plex.tv; media-src 'self' https://*.plex.direct:*; object-src 'self'; child-src 'none'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; referrer no-referrer;" always;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;" always;Ok from F to C that's already better :D however is your page still available after ?
ghost
commented
5 years ago The headers above do break the ability to login through the server's web page. On further investigation I've been able to remedy that by adding the sha256 hashes of the online scripts:
add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; script-src 'self' 'sha256-bNLweJN3Yzls1OKSBIB9E9CKdgE6T2upPOmMTe/a810=' 'sha256-JTbObKW6XPDkm3DQ1ISbW/U8NkUKjP8zajJ8ipx19Uw='; style-src 'self'; img-src 'self' https://provider-static.plex.tv data: blob:; font-src 'self' data:; connect-src 'self' https://plex.tv https://*.plex.direct:* wss://*.plex.direct:* wss://pubsub.plex.tv; media-src 'self' https://*.plex.direct:*; object-src 'self'; child-src 'none'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; referrer no-referrer;" always;
The automatic redirection to /web doesn't work on initial loading however you are directed to login through Plex when accessing it directly. I presume this can be fixed through some sort of rewrite rule in NGINX.
The hashes were generated using: https://report-uri.com/home/hash - most likely will need to be regenerated on each PMS update.
What's your score with your reverse proxy setup? https://observatory.mozilla.org/