github-starred/actual-actualbudget-1
2
0
Fork 0
mirror of https://github.com/actualbudget/actual.git synced 2026-03-11 17:47:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

docs: add guidance on avoiding Nginx header collisions for COOP/COEP (#6477)

Browse Source 
* fix-nginx-header-collision

Added a note on Cross-Origin Isolation and header collisions for Nginx configuration, including a sample Nginx configuration to prevent header duplication.

* Fix formatting of headers in NGINX documentation

* Add new terms to spelling expectations

* Fix placement of 'COOP' in expect.txt

* Update reverse-proxies.md doc display
This commit is contained in:
Herbert Kipkoech
2026-01-05 12:00:41 +03:00
committed by GitHub
parent 235d771d58
commit 88fbfe7078
2 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/docs-spelling/expect.txt vendored
View File

@@ -38,7 +38,9 @@ Cloudflare
CMCIFRPAXXX
COBADEFF
CODEOWNERS
COEP
commerzbank
COOP
Copiar
COUNTA
COUNTBLANK

25
packages/docs/docs/config/reverse-proxies.md
View File

@@ -109,6 +109,31 @@ Please refer to the [official documentation](https://doc.traefik.io/traefik/user
## NGINX
### Note on Cross-Origin Isolation & Header Collisions
Actual Budget requires a "Secure Context" and specific headers (`COOP/COEP`) to enable `SharedArrayBuffer` for its underlying SQLite engine. While the application attempts to set these headers automatically, implementing a manual Nginx configuration as suggested above can lead to **duplicate headers** (e.g., `require-corp, require-corp`).
Modern browsers will invalidate security policies if headers are duplicated, resulting in a `SharedArrayBufferMissing` fatal error.
To resolve the "additional security mechanisms" mentioned in the note above, use the `proxy_hide_header` directive to ensure Nginx acts as the single source of truth:
```nginx
location / {
proxy_pass http://actual_server:5006;
# Prevents header duplication between Upstream and Proxy
proxy_hide_header Cross-Origin-Embedder-Policy;
proxy_hide_header Cross-Origin-Opener-Policy;
# Explicitly set mandatory security headers
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Origin-Agent-Cluster "?1" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
```
The SSL certificate is issued by Let's Encrypt. The [Certbot](https://certbot.eff.org/instructions) tool provides options for automatic updating upon expiration.
At the very least you will need to adapt `server_name` and the `ssl_certificate/ssl_certificate_key` paths to match your setup.
Please refer to their [official documentation](https://nginx.org/en/docs/) for further details.