Adding reverse-proxy security header snippets to caddy/nginx/haproxy docs #1270
Closed
CmdKratosDev
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi everyone,
I wanted to float an idea for a small docs addition before opening a PR — partly because the repo guidelines ask for discussion first, and partly because I want to make sure the framing fits how the team thinks about security docs.
The gap I noticed
The hardening docs cover setting security headers via environment variables at the application layer. That is clearly the right primary path, and I do not want to change that.
What the current reverse-proxy deployment pages (caddy.md, nginx.md, haproxy.md) do not have is:
What I am proposing
A single new section in each of the three files —
## Optional: Security Headers via Reverse Proxy. The section would:REPORT_ONLYtesting before enforcingThe snippets have been tested locally (curl-verified against a running Open WebUI instance behind each proxy type).
Scope
The env-var path in
hardening.mdalready covers security headers and remains the recommended approach. This is purely a documentation cross-reference: a pointer plus a proxy-layer snippet on the deployment pages, for operators who configure headers at the proxy. No application behavior changes.The three sections are drafted and curl-tested against a default install. Unless you'd prefer I hold off or adjust the scope, I'll open a small PR with them — happy to refine the framing first.
Beta Was this translation helpful? Give feedback.
All reactions