Add additional security headers to nginx config (#1906)

jdeanwallace · web-flow · commit 39f927a70c5e · 2025-08-27T12:31:53.000+02:00
Related tiny-pilot/tinypilot-pro#1593 This PR addresses the following precautionary web security considerations from tiny-pilot/tinypilot-pro#1591 (comment): - [`Content-Security-Policy` (CSP) header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) not set (i.e., prevent XSS) - [`X-Frame-Options` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options) not set (i.e., prevent clickjacking) - <s>[`Set-Cookie` header](https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Cookies#secure) without secure flag</s> - Only applicable to HTTPS connections - [`Cross-Origin-Resource-Policy` (CORP) header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy) not set (i.e., prevent [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)) vulnerability) - <s>[`Cross-Origin-Embedder-Policy` (COEP) header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy) not set</s> - Only applicable to HTTPS connections - <s>[`Cross-Origin-Opener-Policy` (COOP) header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy) not set</s> - Only applicable to HTTPS connections - <s>[`Permissions-Policy` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy) not set</s> - Only applicable to HTTPS connections - [`Server` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Server) reveals Nginx version info - <s>[`Strict-Transport-Security` (HSTS) header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security) not set</s> - Only applicable to HTTPS connections - [`X-Content-Type-Options` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options) not set (i.e., prevent MIME type sniffing) Notes: 1. We've added a Content Security Policy that allows inline JavaScript and CSS via the `unsafe-inline` flag. However, [the docs warn against this](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP#inline_javascript) by saying that allowing inline JavaScript defeats much of the purpose of CSP. Our use of "inline JavaScript" is a result of not using a JavaScript build pipeline for the sake of keeping frontend development as simple as possible. Even with the use of `unsafe-inline`, I still think our CSP is adding value via the [`default-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/default-src) by restricting all resources to the same origin (i.e., `self`). 1. Our new Content Security Policy restricts the use of `data:` URLs. So I've converted our inline dot cursor image into a static image file. 1. This PR defines Nginx request headers and response headers into separate config files (located at `/etc/nginx/snippets/`). This allows us to easily redefine headers (via the `include` directive) when an Nginx config block needs to add additional headers. 1. This PR removes an unused legacy Nginx config file (i.e., `debian-pkg/usr/share/tinypilot/nginx.conf`). <a data-ca-tag href="https://codeapprove.com/pr/tiny-pilot/tinypilot/1906"><img src="https://codeapprove.com/external/github-tag-allbg.png" alt="Review on CodeApprove" /></a>
diff --git a/app/static/css/cursors.css b/app/static/css/cursors.css
@@ -15,9 +15,7 @@
 }
 
 *[cursor="dot"] > * {
-  cursor: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA4AAAAOCAYAAAAfSC3RAAAAb0lEQVQ4T9WSQQ4AMQRFuZfju5cJKcG0adNduyOer3yE/5NJTlOY8yUAABGZc4hWGvUZDIiZiygRWZxhBw3qQB9ZGzis4FLpCNypeRNXDcWHQP3Dbty+VWWuzuELuzJAwEO+nHAcfWm5XNwN2z0NHyeAUAvGKOgOAAAAAElFTkSuQmCC")
-      6 6,
-    auto !important;
+  cursor: url("/img/dot-cursor.png") 6 6, auto !important;
 }
 
 *[cursor="pointer"] > * {
diff --git a/app/static/img/dot-cursor.png b/app/static/img/dot-cursor.png
diff --git a/debian-pkg/debian/tinypilot.postinst b/debian-pkg/debian/tinypilot.postinst
@@ -149,6 +149,14 @@ if [[ ! -L "${TINYPILOT_USTREAMER_OVERRIDES_FILE}" ]]; then
     "${TINYPILOT_USTREAMER_OVERRIDES_FILE}"
 fi
 
+# Add NGINX snippets.
+cp \
+  /usr/share/tinypilot/nginx_request_headers.conf \
+  /etc/nginx/snippets/request-headers.conf
+cp \
+  /usr/share/tinypilot/nginx_response_headers.conf \
+  /etc/nginx/snippets/response-headers.conf
+
 # Disable default NGINX server.
 rm -f \
   /etc/nginx/sites-enabled/default
diff --git a/debian-pkg/usr/share/tinypilot/nginx.conf b/debian-pkg/usr/share/tinypilot/nginx.conf
diff --git a/debian-pkg/usr/share/tinypilot/nginx_request_headers.conf b/debian-pkg/usr/share/tinypilot/nginx_request_headers.conf
@@ -0,0 +1,6 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Scheme $scheme;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/debian-pkg/usr/share/tinypilot/nginx_response_headers.conf b/debian-pkg/usr/share/tinypilot/nginx_response_headers.conf
@@ -0,0 +1,15 @@
+# Set Content Security Policy (CSP).
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";
+
+# Prevent clickjacking.
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
+add_header X-Frame-Options SAMEORIGIN;
+
+# Prevent MIME type sniffing.
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
+add_header X-Content-Type-Options nosniff;
+
+# Set Cross-Origin Resource Policy (CORP).
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
+add_header Cross-Origin-Resource-Policy same-origin;
diff --git a/debian-pkg/usr/share/tinypilot/templates/tinypilot.conf.j2 b/debian-pkg/usr/share/tinypilot/templates/tinypilot.conf.j2
@@ -20,25 +20,26 @@ server {
 
     index index.html;
 
+    # Prevent NGINX from revealing its version number.
+    server_tokens off;
+
     proxy_buffers 16 16k;
     proxy_buffer_size 16k;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_http_version 1.1;
 
+    include /etc/nginx/snippets/request-headers.conf;
+    include /etc/nginx/snippets/response-headers.conf;
+
     error_page 502 /502.html;
 
     location /socket.io {
         proxy_pass http://tinypilot;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "Upgrade";
-        # Since this is a connection upgrade, we don't inherit the settings from
-        # above. We need these so that nginx forwards requests properly to
-        # Flask-SocketIO.
-        # See: https://github.com/miguelgrinberg/Flask-SocketIO/issues/1501#issuecomment-802082048
-        proxy_set_header Host $http_host;
-        proxy_set_header X-Forwarded-Host $http_host;
-        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Redefine request headers, as they've been overwritten in this block.
+        # See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
+        include /etc/nginx/snippets/request-headers.conf;
     }
     location /state {
         proxy_pass http://ustreamer;
@@ -56,12 +57,10 @@ server {
         proxy_pass http://janus-ws;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "Upgrade";
-        proxy_set_header Host $http_host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Scheme $scheme;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Port $server_port;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # Redefine request headers, as they've been overwritten in this block.
+        # See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
+        include /etc/nginx/snippets/request-headers.conf;
     }
     location / {
         proxy_pass http://tinypilot;
@@ -77,6 +76,10 @@ server {
         # to the `Last-Modified` header, so we make that seem recent.
         add_header Last-Modified $date_gmt;
         add_header Cache-Control 'public, max-age=10s';
+
+        # Redefine response headers, as they've been overwritten in this block.
+        # See https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
+        include /etc/nginx/snippets/response-headers.conf;
     }
     location ~* ^/.+\.(jpg|jpeg|png|ico)$ {
         root "/opt/tinypilot/app/static";

Original file line number	Diff line number	Diff line change
`@@ -15,9 +15,7 @@`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`[cursor="dot"] > {`
`18`		`- cursor: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA4AAAAOCAYAAAAfSC3RAAAAb0lEQVQ4T9WSQQ4AMQRFuZfju5cJKcG0adNduyOer3yE/5NJTlOY8yUAABGZc4hWGvUZDIiZiygRWZxhBw3qQB9ZGzis4FLpCNypeRNXDcWHQP3Dbty+VWWuzuELuzJAwEO+nHAcfWm5XNwN2z0NHyeAUAvGKOgOAAAAAElFTkSuQmCC")`
`19`		`- 6 6,`
`20`		`- auto !important;`
	`18`	`+ cursor: url("/img/dot-cursor.png") 6 6, auto !important;`
`21`	`19`	`}`
`22`	`20`
`23`	`21`	`[cursor="pointer"] > {`