HTTPS Security headers for NS8 apps

jrieder · July 17, 2025, 2:25pm

Hello!
Due to frequent blocking of the webtop Web GUI by company security measure (namely blue shield tool), where the webtop and NS8 GUI is detected as Phishing relevant site, I analyzed the HTTPS security measures a bit (not really in-depth yet). I understood that in NS7 a lot of discussions happened around that - did not find however something regarding NS8 - but maybe I missed to find this.

Now I just found that the webtop application has different security settings then nextcloud and then the general NS8 server.

Webtop URL:

Nextcloud URL:

General NS8

Is there any reason for this different configurations, I understood all the endpoints should be handled by traefik?
And is there a possibility as admin to improve this?

Thanks for a clarification or hint.

mrmarkuz · July 18, 2025, 7:48am

Traefik as a reverse proxy in this case just provides the content of the web server of the app behind it.

The Webtop app seems to lack some security headers. Usually you can set them at the web server, see PTC Help Center

But as the apps just provide HTTP, traefik should be used. It’s able to provide those headers instead of the app behind it, see Traefik Headers Documentation - Traefik
I’m going to test some more…

danb35 · July 18, 2025, 10:13am

Note that many of these headers have downsides that the scanner tools don’t report. One that comes to mind is HSTS–it enforces secure connections for whatever period of time is specified, typically a year from the last time your browser saw the header. Sounds great, right? Well, until there’s a problem with cert renewal, and now you’re locked out of your site. It’s a good thing to enable once you’re sure that getting and renewing certs is working as expected, but IMO shouldn’t be on by default.

At least they aren’t pushing HPKP any more…

jrieder · August 24, 2025, 6:50pm

As my issue still exists, can you provide me please with a hint how I could add Traefik Headers for specific applications (e.g. webtop) in NS8? Not sure which configs to change where. Thanks.

mrmarkuz · August 24, 2025, 8:27pm

I tried to fix it for Webtop and reached an A. CSP didn’t work as Webtop wasn’t available anymore in my tests.
It should work similar with other webapps.

The following change gets overwritten when Webtop is reconfigured in the NS8 app settings.

Edit the Webtop traefik route: (in this example the app instances are traefik1 and webtop1)

runagent -m traefik1 nano configs/webtop1.yml

I just added “middlewares” sections in router “webtop1-https” and at the bottom.

http:
  services:
    webtop1:
      loadBalancer:
        servers:
          - url: http://127.0.0.1:20015
  routers:
    webtop1-http:
      rule: Host(`webtop.domain.tld`)
      priority: 2
      service: webtop1
      middlewares:
        - http2https-redirectscheme
      entryPoints:
        - http
    webtop1-https:
      rule: Host(`webtop.domain.tld`)
      priority: 2
      service: webtop1
      middlewares:
        - webtop-headers
      entryPoints:
        - https
      tls:
	domains:
      - main: webtop.domain.tld
    certResolver: acmeServer
  middlewares:
    webtop-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        forceSTSHeader: true
        contentTypeNosniff: true
        stsPreload: true
        customFrameOptionsValue: SAMEORIGIN
        referrerPolicy: same-origin
        permissionsPolicy: geolocation=(self "https://webtop.domain.tld")

LayLow · August 24, 2025, 9:08pm

I just scanned FQDN of some apps like jitsi, Immich, opencloud and more. They all come out VERY scary…. Should I be worried? (or open a seperate post with details?)

mrmarkuz · August 24, 2025, 9:26pm

No, it’s nothing to be worried about. The security headers are not easy to setup as the apps may need different settings and as @danb35 pointed out, it could make your site unusable if set wrong or too strict.

Maybe it’s possible to find some good working default settings that could be enabled for all apps…

I think it’s best to add it here so we get a list of apps with missing security headers. We could edit the topic and category of this thread.

If there are many details that differ from this issue, then I’d recommend to open a new thread.