toomuchio/plex-nginx-reverseproxy

CSP Content Security

ma-karai opened this issue · 7 comments

What's your score with your reverse proxy setup?
https://observatory.mozilla.org/

This config does not inject a CSP, the Plex app may have it's own and I don't want to conflict with it or have to constantly update it when they change things.

Well, the plex app doesn't after installing you get a score of F, it's quite horrible tbh. So I was wondering how people who have reverse proxies handle it.

If you want to add a CSP you can but I wont be adding one to the upstream because it'll likely break things.
You can always deny the web interface externally and force your users to app.plex.tv which does have a CSP last I checked.

Alrighty, thanks for your input. On a side note the csp of app.plex.tv is also quite horrendous https://observatory.mozilla.org/analyze/app.plex.tv

My fork contains some extra headers including CSP which give a C on observatory and A+ on securityheaders.com. For an A+ on observatory a correct CORS and SRI config is required too.

Headers for CSP:

  # https://securityheaders.com - A+ certification using headers below
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header Referrer-Policy no-referrer always;
  add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://plex.tv https://*.plex.direct:* wss://*.plex.direct:* wss://pubsub.plex.tv; media-src 'self' https://*.plex.direct:*; object-src 'self'; child-src 'none'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; referrer no-referrer;" always;
  add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;" always;

Ok from F to C that's already better :D however is your page still available after ?

The headers above do break the ability to login through the server's web page. On further investigation I've been able to remedy that by adding the sha256 hashes of the online scripts:

add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; script-src 'self' 'sha256-bNLweJN3Yzls1OKSBIB9E9CKdgE6T2upPOmMTe/a810=' 'sha256-JTbObKW6XPDkm3DQ1ISbW/U8NkUKjP8zajJ8ipx19Uw='; style-src 'self'; img-src 'self' https://provider-static.plex.tv data: blob:; font-src 'self' data:; connect-src 'self' https://plex.tv https://*.plex.direct:* wss://*.plex.direct:* wss://pubsub.plex.tv; media-src 'self' https://*.plex.direct:*; object-src 'self'; child-src 'none'; frame-src 'none'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; referrer no-referrer;" always;

The automatic redirection to /web doesn't work on initial loading however you are directed to login through Plex when accessing it directly. I presume this can be fixed through some sort of rewrite rule in NGINX.

The hashes were generated using: https://report-uri.com/home/hash - most likely will need to be regenerated on each PMS update.