HorrayPhobic
IImmich
•Created by HorrayPhobic on 5/22/2025 in #help-desk-support
immich_server and immich_machine_learning not starting after 1.133.0 update
47 replies
IImmich
•Created by HorrayPhobic on 5/16/2025 in #help-desk-support
Content Security Policy for Immich
Hi, I've recently changed my Immich instance to be accessible from the public internet to allow my friends to use it as well. As I was auditing my setup, I noticed that Immich doesn't provide a Content Security Policy (CSP) header.
A well made CSP can be a major improvement in the webUI's resilience to cross site scripting attacks, especially when unsafe inlining is disabled for both scripts and styles.
Many larger projects like Jellyfin and Mastodon provide a CSP policy out of the box.
In my experience, Nginx, as well as other reverse proxies, pass the CSP header to the client with no configuration, so the project having a CSP would not require any additional actions from those using a reverse proxy.
I've searched through this forum, as well as GitHub, and found a few relatively old posts people who came up with their own CSP for Immich, but neither the upstream project, or the demo instance actually provide a CSP.
Is there any "canonical" source where I could find a CSP for Immich, or does the project not have a CSP yet?
Thank you.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
4 replies