Hello!
Due to frequent blocking of the webtop Web GUI by company security measure (namely blue shield tool), where the webtop and NS8 GUI is detected as Phishing relevant site, I analyzed the HTTPS security measures a bit (not really in-depth yet). I understood that in NS7 a lot of discussions happened around that - did not find however something regarding NS8 - but maybe I missed to find this.
Now I just found that the webtop application has different security settings then nextcloud and then the general NS8 server.
Is there any reason for this different configurations, I understood all the endpoints should be handled by traefik?
And is there a possibility as admin to improve this?
Traefik as a reverse proxy in this case just provides the content of the web server of the app behind it.
The Webtop app seems to lack some security headers. Usually you can set them at the web server, see PTC Help Center
But as the apps just provide HTTP, traefik should be used. It’s able to provide those headers instead of the app behind it, see Traefik Headers Documentation - Traefik
I’m going to test some more…
Note that many of these headers have downsides that the scanner tools don’t report. One that comes to mind is HSTS–it enforces secure connections for whatever period of time is specified, typically a year from the last time your browser saw the header. Sounds great, right? Well, until there’s a problem with cert renewal, and now you’re locked out of your site. It’s a good thing to enable once you’re sure that getting and renewing certs is working as expected, but IMO shouldn’t be on by default.
