🚀 Feature: hardened CSP headers #58

New Issue

Closed

opened 2025-10-09 16:23:59 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-09 16:23:59 +03:00

Owner

Copy Link

Originally created by @lordraiden on GitHub.

Feature Description

​Add a new section to the Pocket-ID documentation that provides a recommended Content Security Policy (CSP) header configuration for the Pocket-ID login page. This policy will provide a layer of protection against client-side attacks like Cross-Site Scripting (XSS) and data injection. The documentation should explain each directive in the policy and how it contributes to security.
​The documentation should recommend a basic, secure CSP header that can be easily implemented by users running Pocket-ID behind a reverse proxy. This is a common setup in homelabs.

​### Pitch

​This feature request is about defense in depth. While Pocket-ID's core functionality is secure, the login page itself is a potential attack vector. A well-defined CSP adds a critical layer of protection by instructing the user's browser to only load resources from trusted sources.
​
​This is a low-effort, high-reward change. It doesn't require any changes to the Pocket-ID codebase itself. The recommended policy can be added to the documentation, allowing users to configure it on their own reverse proxy (like Nginx, Caddy, or Traefik). By following the example of projects like Authentik, Pocket-ID can provide its users with the tools they need to harden their own self-hosted environments.

Originally created by @lordraiden on GitHub. ### Feature Description ​Add a new section to the Pocket-ID documentation that provides a recommended Content Security Policy (CSP) header configuration for the Pocket-ID login page. This policy will provide a layer of protection against client-side attacks like Cross-Site Scripting (XSS) and data injection. The documentation should explain each directive in the policy and how it contributes to security. ​The documentation should recommend a basic, secure CSP header that can be easily implemented by users running Pocket-ID behind a reverse proxy. This is a common setup in homelabs. ​### Pitch ​This feature request is about defense in depth. While Pocket-ID's core functionality is secure, the login page itself is a potential attack vector. A well-defined CSP adds a critical layer of protection by instructing the user's browser to only load resources from trusted sources. ​ ​This is a low-effort, high-reward change. It doesn't require any changes to the Pocket-ID codebase itself. The recommended policy can be added to the documentation, allowing users to configure it on their own reverse proxy (like Nginx, Caddy, or Traefik). By following the example of projects like Authentik, Pocket-ID can provide its users with the tools they need to harden their own self-hosted environments.

OVERLORD closed this issue 2025-10-09 16:24:00 +03:00

OVERLORD commented 2025-10-09 16:24:03 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

I believe it would be a good idea to add a default CSP header to Pocket ID. If users want to harden the header further by overriding it, they can do so on their reverse proxy. However, I don't think we need to document this, as a CSP header applies to all applications and is not specific to Pocket ID. Do you agree?

@stonith404 commented on GitHub: I believe it would be a good idea to add a default CSP header to Pocket ID. If users want to harden the header further by overriding it, they can do so on their reverse proxy. However, I don't think we need to document this, as a CSP header applies to all applications and is not specific to Pocket ID. Do you agree?

OVERLORD referenced this issue 2025-10-09 16:59:23 +03:00

[PR #244] [MERGED] feat: add ability to upload a profile picture #901

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#58