Contentsecuritypolicy not working

Mike-the-one · May 18, 2024, 7:54am

- traefik.http.middlewares.simpleweb-csp.headers.contentsecuritypolicy=style-src 'self'

I added the above to the docker yml file, recreated container etc, but the content security policy header is still not added.

This is in docker swarm.

How to debug?

bluepuma77 · May 18, 2024, 8:26am

You need to declare the middlewares and you need to assign the middlewares to the router:

  whoami:
    image: traefik/whoami:v1.10
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.example.com`) || Host(`www.whoami.example.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

      - traefik.http.middlewares.mywwwredirect.redirectregex.regex=^https://www\.(.*)
      - traefik.http.middlewares.mywwwredirect.redirectregex.replacement=https://$${1}
      - traefik.http.routers.mywhoami.middlewares=mywwwredirect

Snippet from simple Traefik example.

Mike-the-one · May 18, 2024, 8:50am

So something like this:

- traefik.http.routers.mydashboard.middlewares=myauth
- traefik.http.middlewares.myauth.headers.contentsecuritypolicy=style-src 'self'

Mike-the-one · May 18, 2024, 9:01am

Tried above, still not working

The strange thing is, if I set the CSP header (form-action 'self') from my app then it does not work, browser blocks the form submission. Any idea why?

Mike-the-one · May 18, 2024, 9:25am

I am running the apps in a stack.

What i did was

docker service scale app=0
docker rm <my container>
docker service scale app=1

Are these enough?

Mike-the-one · May 18, 2024, 9:59am

Hmm if I run this

docker inspect -f "{{json .Config.Labels}}" $cid

I don't see any traefik labels!

Mike-the-one · May 18, 2024, 10:36am

I am using v2.3, is this the problem?

bluepuma77 · May 18, 2024, 12:59pm

You need to run docker stack deploy to update the stack services or use the appropriate docker service command to add the labels.

Use docker service inspect, as with Swarm the Traefik labels are on the Docker service.

Of course you can run a 3 year old Traefik version, but what prevents you from using a current v2.11? Many bugs and security issues fixed.

Mike-the-one · May 18, 2024, 10:18pm

Thanks! I had to do a stack rm and deploy the stack again to make it work.
As for 2.3 to 2.11, I am thinking to upgrade to 3.0.0, is 3.0.0 stable enough?

thanks

bluepuma77 · May 19, 2024, 6:16am

v3.0 is officially released, so is considered stable.

Check the migration guide, Swarm provider changed from providers.docker to providers.swarm.

Make sure to test config on a separate system, don’t just deploy new version in production.

Topic		Replies	Views
Https redirect reported as not working Traefik v2 docker-swarm , middleware	4	454	March 1, 2023
Content Security Policy with blob and data Traefik v3 (latest) docker , middleware	2	1276	June 26, 2024
CSP header for Jellyfin Traefik v2 docker	0	381	April 30, 2024
[Need help] Getting HSTS security policy error Traefik v2 docker , file	0	558	August 30, 2022
Add the ability to globally configure Security Headers for all frontend Traefik v1 docker , docker-swarm	1	874	April 14, 2022

Contentsecuritypolicy not working

Related topics