From 06b2b1aefa1992a1e8b8fa734f5f8e5fd181ce13 Mon Sep 17 00:00:00 2001 From: trivernis Date: Mon, 9 Oct 2023 17:03:59 +0200 Subject: [PATCH] Add security headers --- apps/searxng/app/route.yaml | 3 +++ apps/tandoor/app/route.yaml | 19 +++++++++++++++++++ apps/traefik/app.yaml | 2 ++ apps/traefik/app/security-headers.yaml | 17 +++++++++++++++++ apps/traefik/app/strict-security-headers.yaml | 18 ++++++++++++++++++ 5 files changed, 59 insertions(+) create mode 100644 apps/traefik/app/security-headers.yaml create mode 100644 apps/traefik/app/strict-security-headers.yaml diff --git a/apps/searxng/app/route.yaml b/apps/searxng/app/route.yaml index 4a49c16..60798a4 100644 --- a/apps/searxng/app/route.yaml +++ b/apps/searxng/app/route.yaml @@ -9,6 +9,9 @@ spec: routes: - match: Host(`search.trivernis.dev`) || Host(`search.trivernis.net`) kind: Rule + middlewares: + - name: strict-security-headers + namespace: default services: - name: searxng-srv port: 8080 diff --git a/apps/tandoor/app/route.yaml b/apps/tandoor/app/route.yaml index 7794e9b..686f82c 100644 --- a/apps/tandoor/app/route.yaml +++ b/apps/tandoor/app/route.yaml @@ -1,4 +1,17 @@ apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: security-headers + namespace: default +spec: + headers: + stsSeconds: 15768000 + contentTypeNosniff: true + browserXssFilter: true + referrerPolicy: same-origin + customFrameOptionsValue: SAMEORIGIN +--- +apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: recipes-route @@ -9,11 +22,17 @@ spec: routes: - match: (Host(`recipes.trivernis.dev`) || Host(`recipes.trivernis.net`)) && (Path(`/media`) || Path(`/static`)) kind: Rule + middlewares: + - name: security-headers + namespace: default services: - name: tandoor port: 80 - match: Host(`recipes.trivernis.dev`) || Host(`recipes.trivernis.net`) kind: Rule + middlewares: + - name: security-headers + namespace: default services: - name: tandoor port: 8080 \ No newline at end of file diff --git a/apps/traefik/app.yaml b/apps/traefik/app.yaml index 5fd99f5..c6906a4 100644 --- a/apps/traefik/app.yaml +++ b/apps/traefik/app.yaml @@ -5,3 +5,5 @@ metadata: name: traefik resources: - app/traefik-config.yaml + - app/security-headers.yaml + - app/strict-security-headers.yaml diff --git a/apps/traefik/app/security-headers.yaml b/apps/traefik/app/security-headers.yaml new file mode 100644 index 0000000..d6dbd48 --- /dev/null +++ b/apps/traefik/app/security-headers.yaml @@ -0,0 +1,17 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: security-headers + namespace: default +spec: + headers: + stsSeconds: 15768000 + contentTypeNosniff: true + browserXssFilter: true + referrerPolicy: same-origin + customFrameOptionsValue: SAMEORIGIN + + customResponseHeaders: + X-Robots-Tag: noindex,nofollow + X-Download-Options: noopen + X-Powered-By: coffee X-Powered-By \ No newline at end of file diff --git a/apps/traefik/app/strict-security-headers.yaml b/apps/traefik/app/strict-security-headers.yaml new file mode 100644 index 0000000..fbd682c --- /dev/null +++ b/apps/traefik/app/strict-security-headers.yaml @@ -0,0 +1,18 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: strict-security-headers + namespace: default +spec: + headers: + stsSeconds: 15768000 + contentTypeNosniff: true + browserXssFilter: true + referrerPolicy: no-referrer + frameDeny: true + + customResponseHeaders: + X-Robots-Tag: noindex,nofollow + X-Download-Options: noopen + X-Permitted-Cross-Domain-Policies: none + X-Powered-By: coffee X-Powered-By \ No newline at end of file