refactor: harden nginx config with per-location security headers#767
refactor: harden nginx config with per-location security headers#767
Conversation
- extract COEP/COOP headers into security-headers.conf snippet - include snippet in every location to avoid add_header inheritance trap - drop Upgrade/Connection proxy headers (backend uses SSE, not WebSocket) - use $proxy_host instead of $host for backend Host header
Semgrep Security ScanNo security issues found. |
PR Metrics
Updated Fri, 24 Apr 2026 21:00:34 GMT · run #1206 |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ff43ac8. Configure here.
|
|
||
| proxy_pass http://backend:8000/v1/; | ||
| proxy_set_header Host $host; | ||
| proxy_set_header Host $proxy_host; |
There was a problem hiding this comment.
Proxy Host header changed to internal service name
Medium Severity
Changing proxy_set_header Host from $host to $proxy_host sends the internal Docker service name (backend:8000) to the backend instead of the client-facing hostname. This can break BetterAuth's cookie domain handling, CSRF validation, or any logic comparing the request host against the configured BETTER_AUTH_URL (which is set to the public-facing URL). This behavioral change appears unrelated to the PR's stated goal of per-location security headers.
Reviewed by Cursor Bugbot for commit ff43ac8. Configure here.
1 participant
Note
Low Risk
Low risk: nginx config refactor plus proxy header tweaks; main risk is unintended header/proxy behavior changes for
/v1and static routes if assumptions about SSE/Host handling are wrong.Overview
Centralizes
Cross-Origin-Embedder-PolicyandCross-Origin-Opener-Policyinto a newsecurity-headers.confsnippet and includes it from each relevantlocationblock to avoid nginxadd_headerinheritance pitfalls.Updates the
/v1/reverse proxy to setHostusing$proxy_hostand explicitly drops WebSocketUpgrade/Connectionheaders (documenting SSE intent). The frontend nginx image now copies the new headers snippet into/etc/nginx/snippets/.Reviewed by Cursor Bugbot for commit ff43ac8. Bugbot is set up for automated code reviews on this repo. Configure here.