Nvitalian 8 Posted March 28, 2025 Posted March 28, 2025 (edited) This is just for those using NPM and having fits, or just novices and want an easier solution. I run Proxied behind Cloudflare. This was all doable on the CF free tier. Hope it helps someone. Under "Transform Rules" if incoming requests match field = hostname operator = equals value = your.domain.com set static header = Content-Security-Policy value = default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; media-src 'self' blob:; connect-src 'self' wss:; font-src 'self'; frame-ancestors 'self' header = Referrer-Policy value = strict-origin-when-cross-origin header = X-Content-Type-Options value = nosniff header = X-Frame-Options value = SAMEORIGIN https://imgur.com/a/h5fmX9w Tested with HTTP Header Security Test - HTTP Observatory | MDN I run IPTV as well as standard content. Edited March 28, 2025 by Nvitalian Removed a Header 1
Nvitalian 8 Posted March 28, 2025 Author Posted March 28, 2025 The CSP Header is screwed up, strips licensing for external users. Corrected Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; media-src 'self' blob:; connect-src 'self' wss: https://mb3admin.com; font-src 'self'; frame-ancestors 'self'; 1
Nvitalian 8 Posted March 28, 2025 Author Posted March 28, 2025 (edited) Lol another edit to the CSP default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; media-src 'self' blob:; connect-src 'self' wss: https://mb3admin.com; font-src 'self'; object-src 'none'; frame-ancestors 'self'; worker-src 'self' blob:; Edited March 28, 2025 by Nvitalian PEBKAM 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now