Changing csp_directives for HedgeDoc behing nginx proxy manager | Home Assistant | Page 1

tropic mango Apr 17, 2025, 6:57 PM

#

this is kinda errors I'm getting

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src <URL> <URL> <URL> <URL> <URL> <URL> 'unsafe-inline'

#

I feel like I need to do something like this: https://github.com/hedgedoc/hedgedoc/issues/923 but IKD how to configure it

GitHub

CSP Rules · Issue #923 · hedgedoc/hedgedoc

When enabling the content security policy, the following header is sent: Content-Security-Policy: default-src 'self'; script-src 'self' vimeo.com https://gist.github.com www.slidesh...

tropic mango Apr 17, 2025, 9:41 PM

#

I made from progress by adding this to the config:

#

csp:
  enable: true
  addDefaults: true
  directives:
    scriptSrc: mydomain.com, homeassistant.local

#

however now I'm getting:

Mixed Content: The page at 'https://XXXXX/' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://XXXXX/login'. This endpoint should be made available over a secure connection.Understand this warning
XXXXX/:1 Refused to send form data to 'http://XXXXX/login' because it violates the following Content Security Policy directive: "form-action 'self'".

#

how can I make sure everything stay https?

tropic mango Apr 17, 2025, 10:04 PM

#

ok I enforced https everywhere with NPM but now I get because it violates the following Content Security Policy directive: "base-uri 'self'".

tropic mango Apr 20, 2025, 4:36 AM

#

took some time but I figured it out from this doc: https://hub.docker.com/r/linuxserver/hedgedoc

#Changing csp_directives for HedgeDoc behing nginx proxy manager