After a successful installation of my own Jitsi Meet instance I had some time to deal with the security settings.
In particular I tried to secure the nginx webserver as far as possible and recommended by the Mozilla Observatory. The only shortcoming at the moment seems to be that the Jitsi Server only runs if the CSP script-src and style-src are configured with ‘unsafe-inline’.
Is there a development plan to remedy this? (Implementing nonces, for example)
Current settings (successfully tested):
add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS protection "1; mode=block"; add_header Content Security Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; connect-src 'self'; media-src 'self'"; add_header referrer policy "strict-origin";
This, together with other settings around TLS and ciphers, leads to a good B+ rating at Mozilla Observatory. But an A+ would be desirable of course.
A corresponding post (dated Nov. 2016) can be found in the archive, but without any reaction.