Paperless-ng on the web.

[ghost]

Hi everybody.

I started to host paperless-ng on a remote server which is accessible via an Nginx-proxy. I'm nowhere near a security expert and all I do is read and pretty much copy-paste code from StackOverflow and GitHub threads, but two things I would like to discuss which might be helpful for future users of paperless-ng.

# security options
SESSION_COOKIE_SECURE = True
# SECURE_SSL_REDIRECT = True => doesn't work, nginx errors
SECURE_HSTS_SECONDS = 31536000
CSRF_COOKIE_SECURE = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True

...are not set in the paperless-ng settings.py
I have no clue if they are important when being used behind a proxy but except for the SECURE_SSL_REDIRECT one at least can activate them without Nginx throwing errors.

Second:
To increase security (according to Mozilla observatory) one could add some additional headers.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Set-Cookie "Path=/; HttpOnly; Secure";
add_header X-XSS-Protection "1; mode=block";

Maybe this would be a helpful hint for the documentation?

I'm kind of stuck with a useful Content-Security-Policy header. Does anyone of you have any ideas about what could work without breaking Angular and the CSS?

[TobenderZephyr]

This is an expected behaviour when using reverse proxies, because they terminate the connection between client and backend.
I guess the SECURE_SSL_REDIRECT needs you to configure more parameters like your certificate's private and public part, aswell as the listening port (443). When not using a reverse proxy but enabling SSL, you wouldn't need a reverse proxy.
My guess is since you're running nginx on port 80 and 443 (for HTTPS), paperless-ng is not able to open the port 443 to listen to it.

For containers I usually always use traefik as an reverse proxy because you dont need to reconfigure it for each backend.
As for nginx, i would use something like this:

add_header Cache-Control "public, max-age=15778463";
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

BUT!
Be sure to read the documentation on Strict-Transport-Security (or HSTS) and what it does, since it can easily make clients not trust your whole domain if used incorrectly! (especially the includeSubDomains-part.)