Add security headers

main
trivernis 1 year ago
parent 904731e4d7
commit 06b2b1aefa
Signed by: Trivernis
GPG Key ID: DFFFCC2C7A02DB45

@ -9,6 +9,9 @@ spec:
routes: routes:
- match: Host(`search.trivernis.dev`) || Host(`search.trivernis.net`) - match: Host(`search.trivernis.dev`) || Host(`search.trivernis.net`)
kind: Rule kind: Rule
middlewares:
- name: strict-security-headers
namespace: default
services: services:
- name: searxng-srv - name: searxng-srv
port: 8080 port: 8080

@ -1,4 +1,17 @@
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: security-headers
namespace: default
spec:
headers:
stsSeconds: 15768000
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: same-origin
customFrameOptionsValue: SAMEORIGIN
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata: metadata:
name: recipes-route name: recipes-route
@ -9,11 +22,17 @@ spec:
routes: routes:
- match: (Host(`recipes.trivernis.dev`) || Host(`recipes.trivernis.net`)) && (Path(`/media`) || Path(`/static`)) - match: (Host(`recipes.trivernis.dev`) || Host(`recipes.trivernis.net`)) && (Path(`/media`) || Path(`/static`))
kind: Rule kind: Rule
middlewares:
- name: security-headers
namespace: default
services: services:
- name: tandoor - name: tandoor
port: 80 port: 80
- match: Host(`recipes.trivernis.dev`) || Host(`recipes.trivernis.net`) - match: Host(`recipes.trivernis.dev`) || Host(`recipes.trivernis.net`)
kind: Rule kind: Rule
middlewares:
- name: security-headers
namespace: default
services: services:
- name: tandoor - name: tandoor
port: 8080 port: 8080

@ -5,3 +5,5 @@ metadata:
name: traefik name: traefik
resources: resources:
- app/traefik-config.yaml - app/traefik-config.yaml
- app/security-headers.yaml
- app/strict-security-headers.yaml

@ -0,0 +1,17 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: security-headers
namespace: default
spec:
headers:
stsSeconds: 15768000
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: same-origin
customFrameOptionsValue: SAMEORIGIN
customResponseHeaders:
X-Robots-Tag: noindex,nofollow
X-Download-Options: noopen
X-Powered-By: coffee X-Powered-By

@ -0,0 +1,18 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: strict-security-headers
namespace: default
spec:
headers:
stsSeconds: 15768000
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: no-referrer
frameDeny: true
customResponseHeaders:
X-Robots-Tag: noindex,nofollow
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
X-Powered-By: coffee X-Powered-By
Loading…
Cancel
Save