feat: add security headers to caddyfile

This commit is contained in:
ruinivist
2026-06-01 07:41:22 +00:00
parent 95d27c5142
commit 887d3776b8
2 changed files with 10 additions and 0 deletions
+4
View File
@@ -0,0 +1,4 @@
## 2024-06-01 - [Missing Security Headers]
**Vulnerability:** The web application served by Caddy was missing essential security headers, making it more vulnerable to Clickjacking and MIME-sniffing attacks.
**Learning:** Security headers should be explicitly configured in the reverse proxy/web server (Caddy in this case) since they are not typically added by default application servers or front-end frameworks.
**Prevention:** Always ensure standard security headers (`X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, etc.) are configured globally in the Caddyfile or equivalent web server configuration for all incoming requests.
+6
View File
@@ -6,6 +6,12 @@
:80 {
encode zstd gzip
header {
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
}
@mcp path /mcp
handle @mcp {
reverse_proxy 127.0.0.1:3001