From 991fd829c102eb035ff0b9215ffbac0ee53245e3 Mon Sep 17 00:00:00 2001
From: iotku <iotku@users.noreply.github.com>
Date: Wed, 16 Oct 2019 08:21:47 -0700
Subject: [PATCH 1/2] Add security headers to Nginx reverse proxy

---
 general/administration/reverse-proxy.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/general/administration/reverse-proxy.md b/general/administration/reverse-proxy.md
index f72efee29..b577b7673 100644
--- a/general/administration/reverse-proxy.md
+++ b/general/administration/reverse-proxy.md
@@ -121,6 +121,15 @@ server {
 #    ssl_stapling on;
 #    ssl_stapling_verify on;
 #
+#    # Security / XSS Mitigation Headers
+#    add_header X-Frame-Options "SAMEORIGIN";
+#    add_header X-XSS-Protection "1; mode=block";
+#    add_header X-Content-Type-Options "nosniff";
+#
+#    # Content Security Policy
+#    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+#    add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js; worker-src 'self' blob:; connect-src 'self'; object-src 'none'";
+#
 #    location / {
 #        # Proxy main Jellyfin traffic
 #        proxy_pass http://SERVER_IP_ADDRESS:8096;

From a5c03391c346705a8f4a1a1feaef65245cd1f0ad Mon Sep 17 00:00:00 2001
From: iotku <iotku@users.noreply.github.com>
Date: Thu, 17 Oct 2019 17:17:34 -0700
Subject: [PATCH 2/2] Added notes about CSP for Nginx reverse proxy

Also added: frame-ancestors 'self' which is the CSP equivelent to X-Frame-Options sameorigin
---
 general/administration/reverse-proxy.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/general/administration/reverse-proxy.md b/general/administration/reverse-proxy.md
index b577b7673..746be3256 100644
--- a/general/administration/reverse-proxy.md
+++ b/general/administration/reverse-proxy.md
@@ -128,7 +128,9 @@ server {
 #
 #    # Content Security Policy
 #    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
-#    add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js; worker-src 'self' blob:; connect-src 'self'; object-src 'none'";
+#    # Enforces https content and restricts JS/CSS to origin
+#    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+#    add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
 #
 #    location / {
 #        # Proxy main Jellyfin traffic