feat: add security headers for Nginx, Caddy and Traefik with debug header
This commit is contained in:
Greg
parent
e2aeca1de7
commit
c06e076e56
19
Dockerfile
19
Dockerfile
@ -54,5 +54,24 @@ COPY nginx.conf /etc/nginx/conf.d/default.conf
|
|||||||
# Expose port 80
|
# Expose port 80
|
||||||
EXPOSE 80
|
EXPOSE 80
|
||||||
|
|
||||||
|
# Security Headers Labels for Coolify Reverse Proxy
|
||||||
|
LABEL caddy.header.Content-Security-Policy="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';"
|
||||||
|
LABEL caddy.header.Strict-Transport-Security="max-age=31536000; includeSubDomains; preload"
|
||||||
|
LABEL caddy.header.X-Frame-Options="DENY"
|
||||||
|
LABEL caddy.header.X-Content-Type-Options="nosniff"
|
||||||
|
LABEL caddy.header.Referrer-Policy="strict-origin-when-cross-origin"
|
||||||
|
LABEL caddy.header.X-XSS-Protection="1; mode=block"
|
||||||
|
LABEL caddy.header.Permissions-Policy="geolocation=(), microphone=(), camera=()"
|
||||||
|
|
||||||
|
# Alternative Traefik labels (if switching to Traefik)
|
||||||
|
LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.Content-Security-Policy="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';"
|
||||||
|
LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.Strict-Transport-Security="max-age=31536000; includeSubDomains; preload"
|
||||||
|
LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.X-Frame-Options="DENY"
|
||||||
|
LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.X-Content-Type-Options="nosniff"
|
||||||
|
LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.Referrer-Policy="strict-origin-when-cross-origin"
|
||||||
|
LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.X-XSS-Protection="1; mode=block"
|
||||||
|
LABEL traefik.http.middlewares.security-headers.headers.customrequestheaders.Permissions-Policy="geolocation=(), microphone=(), camera=()"
|
||||||
|
LABEL traefik.http.routers.myfavstuff5.middlewares="security-headers"
|
||||||
|
|
||||||
# Start Nginx in foreground
|
# Start Nginx in foreground
|
||||||
CMD ["nginx", "-g", "daemon off;"]
|
CMD ["nginx", "-g", "daemon off;"]
|
||||||
|
|||||||
@ -5,6 +5,9 @@ server {
|
|||||||
root /usr/share/nginx/html;
|
root /usr/share/nginx/html;
|
||||||
index index.html index.htm;
|
index index.html index.htm;
|
||||||
|
|
||||||
|
# Debug header to verify our nginx config is loaded
|
||||||
|
add_header X-Custom-Config "MyFavStuff5-Nginx-Active" always;
|
||||||
|
|
||||||
# Security Headers
|
# Security Headers
|
||||||
# Content Security Policy (CSP) - Prevents XSS attacks
|
# Content Security Policy (CSP) - Prevents XSS attacks
|
||||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';" always;
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';" always;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user