From c06e076e5633124c87c2f0d53553ad6a74532980 Mon Sep 17 00:00:00 2001
From: Greg <gregman@livingonlinenow.com>
Date: Fri, 18 Jul 2025 23:20:49 +0200
Subject: [PATCH] feat: add security headers for Nginx, Caddy and Traefik with
 debug header

---
 Dockerfile | 19 +++++++++++++++++++
 nginx.conf |  3 +++
 2 files changed, 22 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 0f8b0ba..fd383d1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -54,5 +54,24 @@ COPY nginx.conf /etc/nginx/conf.d/default.conf
 # Expose port 80
 EXPOSE 80
 
+# Security Headers Labels for Coolify Reverse Proxy
+LABEL caddy.header.Content-Security-Policy="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';"
+LABEL caddy.header.Strict-Transport-Security="max-age=31536000; includeSubDomains; preload"
+LABEL caddy.header.X-Frame-Options="DENY"
+LABEL caddy.header.X-Content-Type-Options="nosniff"
+LABEL caddy.header.Referrer-Policy="strict-origin-when-cross-origin"
+LABEL caddy.header.X-XSS-Protection="1; mode=block"
+LABEL caddy.header.Permissions-Policy="geolocation=(), microphone=(), camera=()"
+
+# Alternative Traefik labels (if switching to Traefik)
+LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.Content-Security-Policy="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';"
+LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.Strict-Transport-Security="max-age=31536000; includeSubDomains; preload"
+LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.X-Frame-Options="DENY"
+LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.X-Content-Type-Options="nosniff"
+LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.Referrer-Policy="strict-origin-when-cross-origin"
+LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.X-XSS-Protection="1; mode=block"
+LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.Permissions-Policy="geolocation=(), microphone=(), camera=()"
+LABEL traefik.http.routers.myfavstuff5.middlewares="security-headers"
+
 # Start Nginx in foreground
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/nginx.conf b/nginx.conf
index 6714b53..24a726d 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -5,6 +5,9 @@ server {
     root /usr/share/nginx/html;
     index index.html index.htm;
 
+    # Debug header to verify our nginx config is loaded
+    add_header X-Custom-Config "MyFavStuff5-Nginx-Active" always;
+    
     # Security Headers
     # Content Security Policy (CSP) - Prevents XSS attacks
     add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';" always;