Content Security Policy for Immich
Hi, I've recently changed my Immich instance to be accessible from the public internet to allow my friends to use it as well. As I was auditing my setup, I noticed that Immich doesn't provide a Content Security Policy (CSP) header.
A well made CSP can be a major improvement in the webUI's resilience to cross site scripting attacks, especially when unsafe inlining is disabled for both scripts and styles.
Many larger projects like Jellyfin and Mastodon provide a CSP policy out of the box.
In my experience, Nginx, as well as other reverse proxies, pass the CSP header to the client with no configuration, so the project having a CSP would not require any additional actions from those using a reverse proxy.
I've searched through this forum, as well as GitHub, and found a few relatively old posts people who came up with their own CSP for Immich, but neither the upstream project, or the demo instance actually provide a CSP.
Is there any "canonical" source where I could find a CSP for Immich, or does the project not have a CSP yet?
Thank you.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
MDN Web Docs
Content Security Policy (CSP) - HTTP | MDN
Content Security Policy (CSP) is a feature that helps to prevent or minimize the risk of certain types of security threats. It consists of a series of instructions from a website to a browser, which instruct the browser to place restrictions on the things that the code comprising the site is allowed to do.
1 Reply
:wave: Hey @HorrayPhobic,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark: