Add CSP, HSTS and X-Content-Type-Options #719

rmsmgaspar · 2024-03-14T12:07:52Z

This issue is unique.

I have used the search tool and did not find an issue describing my idea.

Your idea.

Regarding webpage security, there is the need to create headers security with:
Content Security Policy (CSP)
HTTP Strict Transport Security (HSTS)
X-Content-Type-Options
Right now this is not possible with the docker version, it's possible to have this implemented or with some environment variables to input?
thanks in advance.

igwyd · 2024-03-19T09:13:23Z

Hello @rmsmgaspar, we add automaticaly add_header X-Content-Type-Options nosniff; and add_header Strict-Transport-Security max-age=31536000; to the nginx config if you Running ONLYOFFICE Document Server using HTTPS and we have docker variables for settings up HSTS. Regarding CSP is not implemented, i create ticket #66988 with your proposal.
BTW, you can configure any security settings yourself if you use an external proxy, our examples for proxies are here.

rmsmgaspar · 2024-04-03T21:06:07Z

Thanks

Rita-Bubnova assigned igwyd Mar 18, 2024

Rita-Bubnova transferred this issue from ONLYOFFICE/DocumentServer Mar 18, 2024

Rita-Bubnova added the feature request Issues that request new features to be added to OnlyOffice label Mar 19, 2024

Rita-Bubnova unassigned igwyd Mar 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add CSP, HSTS and X-Content-Type-Options #719

Add CSP, HSTS and X-Content-Type-Options #719

rmsmgaspar commented Mar 14, 2024

igwyd commented Mar 19, 2024

rmsmgaspar commented Apr 3, 2024

Add CSP, HSTS and X-Content-Type-Options #719

Add CSP, HSTS and X-Content-Type-Options #719

Comments

rmsmgaspar commented Mar 14, 2024

This issue is unique.

Your idea.

igwyd commented Mar 19, 2024

rmsmgaspar commented Apr 3, 2024