Test hardened TLS headers

2020-10-23 17:54:26 +02:00 · 2020-10-23 17:54:26 +02:00 · 48964a7aba
parent c18589d42f
commit 48964a7aba
2 changed files with 13 additions and 3 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -15,6 +15,7 @@ services:
            - ./traefik:/etc/traefik:ro
            - configtraefik:/config:ro
        environment:
+            - TRAEFIK_DOMAIN=${TRAEFIK_DOMAIN}
            - TZ=${TZ}
        labels:
            - "traefik.enable=true"
--- a/traefik/custom/middlewares.yaml
+++ b/traefik/custom/middlewares.yaml
@ -5,9 +5,18 @@ http:
        usersFile: "/etc/traefik/http_auth"
    security-headers:
      headers:
-        frameDeny: true
-        contentTypeNosniff: true
-        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 31536000
+
+        sslRedirect: true
+        sslForceHost: true
+        sslHost: '{{env "TRAEFIK_DOMAIN"}}'
+
+        contentSecurityPolicy: "script-src 'self'; img-src 'self'"
+        referrerPolicy: "same-origin"
+        featurePolicy: "vibrate 'self'; geolocation 'self'; midi 'self'; notifications 'self'; push 'self'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'self'; fullscreen 'self'"
+
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true