SearXNG Perfect A+ Grade Setup?

Are there any experts who can help get SearXNG A+ Grade on both TLS and CSP?

I've tried config traefik.yml, dynamic.yml, and user-config. I'm still getting E Grade on TLS and D Grade on CSP.

TLS Grade:
https://cryptcheck.fr/

CSP Grade:
https://developer.mozilla.org/en-US/observatory

MDN Web Docs

HTTP Header Security Test - HTTP Observatory | MDN

Test your site’s HTTP headers, including CSP and HSTS, to find security problems and get actionable recommendations to make your website more secure. Test other websites to see how you compare.

Nicolas•5/17/25, 2:42 PM

I get an F on google.com

InfBoumcyCastle•5/18/25, 5:24 AM

What have you tried specifically?

IInfBoumcyCastle What have you tried specifically?

ABOhiccupsOP•5/18/25, 7:29 AM

I'm trying to get A+ Grade result. Getting A+ is the must secure for visitors. I've tried to configure Traefik settings and I still end up getting E and D Grade.

InfBoumcyCastle•5/18/25, 9:59 AM

You still have not explained what you have tried so far. You pointed to files, but not what you have done there. W/o Infos help is not easy to provide

IInfBoumcyCastle You still have not explained what you have tried so far. You pointed to files, b...

ABOhiccupsOP•5/18/25, 10:32 AM

I've tried your notes in dynamic.yml and user-config/migrated/searxng/docker-compose.yml.

The grade did not change. Still getting same grade as with default settings.

https://github.com/falkheiland/user-config/blob/main/traefik/etc/dynamic/dynamic.yml

GitHub

user-config/traefik/etc/dynamic/dynamic.yml at main · falkheiland/...

heayily opinionated user-config for runtipi. Contribute to falkheiland/user-config development by creating an account on GitHub.

InfBoumcyCastle•5/18/25, 10:40 AM

From the other post with crowdsec I know / assume you are on tipi v4.
My config on GitHub is still from v3.x
There are changes in v4 that need changes in my GitHub user-config as well, which is not documented yet.

One of the things will be, that the v3 to v4 migration did not move the user customized traefik config, but left in in migration-backup. Chances are, you are not applying a custom traefik config atm.

InfBoumcyCastle•5/18/25, 11:47 AM

i just tried cryptcheck.fr - which just claims my site does not support tls - well

so i tested with https://www.ssllabs.com/ssltest/index.html which gave me an A but, it also says sts is not active - which it shuold be, have to look it up, but x-frame-options are not active on my end, which - yeah i dont really care tbh

SSL Server Test (Powered by Qualys SSL Labs)

A comprehensive free SSL test for your public web servers.

InfBoumcyCastle•5/18/25, 11:50 AM

then https://securityheaders.com/? gave me an F

Analyse your HTTP response headers

Quickly and easily assess the security of your HTTP response headers

InfBoumcyCastle•5/18/25, 12:33 PM

so. i used chatgpt to help me out - i hate to admit it

i made some adjustments to the dynamic.yml - should not make a substancial difference though and tested via cli to my authentik portal - searxng is not externally available without auth

curl -I https://auth.example.com

HTTP/2 302
content-security-policy: default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';
content-type: text/html; charset=utf-8
date: Sun, 18 May 2025 12:03:30 GMT
location: /flows/-/default/authentication/?next=/
permissions-policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()
referrer-policy: same-origin
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: Accept-Encoding
vary: Cookie
x-authentik-id: e5349c6dd24f4c3fb196590742dc244e
x-content-type-options: nosniff
x-frame-options: DENY
x-powered-by: authentik
x-robots-tag: none,noarchive,nosnippet,notranslate,noimageindex,noindex,nofollow
x-xss-protection: 1; mode=block
content-length: 0

the headers that some of the sites say are not available are there. screenshot from chatgpt - i choose to believe it

InfBoumcyCastle•5/18/25, 12:34 PM

chatgpt also said:

Why SecurityHeaders.com or Observatory might still complain:

302 Redirect is the first response

The headers you see are returned after the redirect, but some tools test the initial response.

Tools like securityheaders.com or observatory.mozilla.org may only scan the initial 302 response, not the final destination.

If the redirect response is missing headers, you get a lower score.

Redirect from Traefik to Authentik

The redirect (302 with location: /flows/...) is likely coming before full auth headers are applied.

Some headers may not be attached to that 302 response depending on your middleware chain and router configuration

-> so that makes sense, i guess?