Jump to content

Recommended HTTP headers?


plaidstallion
 Share

Go to solution Solved by plaidstallion,

Recommended Posts

plaidstallion

I was hoping someone could take a look at the HTTP headers I have my reverse proxy (Traefik v2) apply to Emby (and other apps) and let me know what might be causing issues with the app?

 

        customFrameOptionsValue: SAMEORIGIN
        browserXssFilter: true
        stsSeconds: 155520011
        referrerPolicy: no-referrer
        contentTypeNosniff: true
        sslRedirect: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        featurePolicy: true
        sslForceHost: true
        contentSecurityPolicy: "default-src ‘self’; script-src ‘self’ ‘unsafe-eval’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *;"
        accessControlAllowOriginList: [“<origin>”]
        featurePolicy: "geolocation 'none'; camera 'none'; microphone 'none'" 
 
The web interface is accessible but sometimes it doesn't load all the assets (cover art, etc) and movies will randomly not play. If I take all the headers off,  everything works fine as if I am connecting inside the LAN but then I lose that nice A+ security rating for headers scan. I suppose I can start taking them off one by one and see what might be the issue but thought the devs or forum mods may just be able to look at my list and spot what is wrong.
 
I looked for documentation of recommended headers but didn't see any articles through Google searches. Seems like a good wiki item.
Link to comment
Share on other sites

I would check out @@pir8radio's nginx config. I know it's not the same reverse proxy software, but you may pick up some tips from that.

Link to comment
Share on other sites

plaidstallion

I would check out @@pir8radio's nginx config. I know it's not the same reverse proxy software, but you may pick up some tips from that.

 

I will check it out.

 

I was able to get it functioning by taking off "media-src *;" from the contentSecurityPolicy line so it now looks like this:

contentSecurityPolicy: "default-src ‘self’; script-src ‘self’ ‘unsafe-eval’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:;"

I left the rest of the options in the list above alone so it must be something with the media-src *;

 

With that line added, some movies would play but not all and the whole experience was pretty hit or miss. Seems like that resolved the issue though.

Edited by plaidstallion
  • Like 1
Link to comment
Share on other sites

  • Solution
plaidstallion

I wanted to follow up to this post with a correction. The headers actually had nothing to do with the issue. I had a global rate limit set for all my forward facing applications and Emby seems to make many many more requests than my other programs. So, while I was not shown an error, as the other programs would do if I hit the page too much, all the back end stuff that Emby does was getting blocked and I was none the wiser. I loosened the rate limiting a bit and all is well. HTTP headers were not an issue at all. This should probably be marked as the correct answer.

Edited by plaidstallion
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...