diff --git a/installs_on_host/Caddyfile b/installs_on_host/Caddyfile index 4b46c5c..e52c01d 100644 --- a/installs_on_host/Caddyfile +++ b/installs_on_host/Caddyfile @@ -445,6 +445,50 @@ search.delmar.bzh gzip minimum_length 1024 } + @api { + path /config + path /healthz + path /stats/errors + path /stats/checker + } + @static { + path /static/* + } + @imageproxy { + path /image_proxy + } + header { + # CSP (https://content-security-policy.com) + Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https:; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self'; img-src * data:; frame-src https:;" + + # Disable browser features + Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()" + + # Only allow same-origin requests + Referrer-Policy "same-origin" + + # Prevent MIME type sniffing from the declared Content-Type + X-Content-Type-Options "nosniff" + + # Comment header to allow indexing by search engines + X-Robots-Tag "noindex, nofollow, noarchive, nositelinkssearchbox, nosnippet, notranslate, noimageindex" + + # enable HSTS + # WARNING: Once this value is set, the site must continue to support HTTPS until the expiry time is reached. + + # Strict-Transport-Security max-age=15768000; + + # Remove "Server" header + -Server + Access-Control-Allow-Methods "GET, OPTIONS" + Access-Control-Allow-Origin "*" + } + route { + # Cache policy + header Cache-Control "no-cache" + header @static Cache-Control "public, max-age=30, stale-while-revalidate=60" + header @imageproxy Cache-Control "public, max-age=3600" + } reverse_proxy patrick:23485 }