From bf652175f92b0f1be1ae676ddbf5f087ff83ef0c Mon Sep 17 00:00:00 2001
From: Matthew Pomes <matthew.pomes@pm.me>
Date: Mon, 19 Jan 2026 18:54:31 -0600
Subject: [PATCH] Fix nginx headers for vaultwarden

---
 nginx/sites-enabled/bitwarden | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/nginx/sites-enabled/bitwarden b/nginx/sites-enabled/bitwarden
index ed59c61..057fee5 100644
--- a/nginx/sites-enabled/bitwarden
+++ b/nginx/sites-enabled/bitwarden
@@ -40,21 +40,33 @@ server {
     # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
     # Enforces https content and restricts JS/CSS to origin
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-    set $CSP "default-src https: data: blob:";
-    set $CSP "$CSP; img-src 'self' https://* data:";
-    set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
-    set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
-    set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
-    set $CSP "$CSP; worker-src 'self' blob: data:";
-    set $CSP "$CSP; connect-src 'self' data:";
-    set $CSP "$CSP; object-src 'none' data:";
-    set $CSP "$CSP; frame-ancestors 'self' data:";
-    set $CSP "$CSP; font-src 'self' data:";
-    add_header Content-Security-Policy $CSP;
+    # set $CSP "default-src https: data: blob:";
+    # set $CSP "$CSP; img-src 'self' https://* data:";
+    # set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
+    # set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
+    # set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
+    # set $CSP "$CSP; worker-src 'self' blob: data:";
+    # set $CSP "$CSP; connect-src 'self' data:";
+    # set $CSP "$CSP; object-src 'none' data:";
+    # set $CSP "$CSP; frame-ancestors 'self' data:";
+    # set $CSP "$CSP; font-src 'self' data:";
+    # add_header Content-Security-Policy $CSP;
 
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
     }
+    location /notifications/hub {
+        proxy_pass http://bitwarden:80;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
 
     location / {
         # Proxy main bitwarden traffic
@@ -65,7 +77,6 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Protocol $scheme;
         proxy_set_header X-Forwarded-Host $http_host;
-        proxy_hide_header Content-Security-Policy;
 
         # Disable buffering when the nginx proxy gets very resource heavy upon streaming
         proxy_buffering off;