How do I set headers ?

Actionhenk · Oct 7, 2019, 6:08 PM

Hi,
I have ran a few testers on the web and the tests are reporting im missing a few headers and need them to improve security.

I tried adding headers using an action on the main ha frontend like below

After applying settings Im getting an error about the option needing exactly 2 arguments .. How should I set such headers and where ? Straight in the config (wouldnt this be overwritten by ha-proxy ?)?

Thanks!

Derelict · Oct 7, 2019, 6:21 PM

You probably want to set http response headers, not request headers.

Actionhenk · Oct 7, 2019, 6:28 PM

allright thanks, I will change it to request. So this is the correct place/way to put in the headers ? How would I configure this header:

Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'

The value contains spaces, so haproxy interface on pfsense wont accept it. I get the error it needs 2 arguments ?

Thanks!

Derelict · Oct 7, 2019, 6:41 PM

Something like this.

All I did was enclose everything in double quotes. Ended up with this:

http-response set-header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"  if  yourAcl

I didn't test it.

Actionhenk · Oct 7, 2019, 6:39 PM

Cool! thanks, will test this and see if it works.

Actionhenk · Oct 7, 2019, 6:54 PM

nice, it seems to work, getting A+ result now !

Derelict · Oct 7, 2019, 6:57 PM

@Actionhenk Nice. One other thing: I haven't looked at it but I assume if you need double quotes in a string like that in the future you can just escape the ones inside the string with \"