Content Security Policy for Immich
Hi, I've recently changed my Immich instance to be accessible from the public internet to allow my friends to use it as well. As I was auditing my setup, I noticed that Immich doesn't provide a Content Security Policy (CSP) header.
A well made CSP can be a major improvement in the webUI's resilience to cross site scripting attacks, especially when unsafe inlining is disabled for both scripts and styles.
Many larger projects like Jellyfin and Mastodon provide a CSP policy out of the box.
In my experience, Nginx, as well as other reverse proxies, pass the CSP header to the client with no configuration, so the project having a CSP would not require any additional actions from those using a reverse proxy.
I've searched through this forum, as well as GitHub, and found a few relatively old posts people who came up with their own CSP for Immich, but neither the upstream project, or the demo instance actually provide a CSP.
Is there any "canonical" source where I could find a CSP for Immich, or does the project not have a CSP yet?
Thank you.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
A well made CSP can be a major improvement in the webUI's resilience to cross site scripting attacks, especially when unsafe inlining is disabled for both scripts and styles.
Many larger projects like Jellyfin and Mastodon provide a CSP policy out of the box.
In my experience, Nginx, as well as other reverse proxies, pass the CSP header to the client with no configuration, so the project having a CSP would not require any additional actions from those using a reverse proxy.
I've searched through this forum, as well as GitHub, and found a few relatively old posts people who came up with their own CSP for Immich, but neither the upstream project, or the demo instance actually provide a CSP.
Is there any "canonical" source where I could find a CSP for Immich, or does the project not have a CSP yet?
Thank you.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
MDN Web Docs
Content Security Policy (CSP) is a feature that helps to prevent or minimize the risk of certain types of security threats. It consists of a series of instructions from a website to a browser, which instruct the browser to place restrictions on the things that the code comprising the site is allowed to do.
