feat: add http security headers to caddyfile

This commit is contained in:
ruinivist
2026-06-06 08:30:04 +00:00
parent 01300c7061
commit 9ab0a350ec
2 changed files with 29 additions and 19 deletions
+4
View File
@@ -0,0 +1,4 @@
## 2024-06-06 - Missing HTTP Security Headers
**Vulnerability:** The Caddyfile configuration was missing standard HTTP security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy), leaving the application susceptible to clickjacking, MIME-type sniffing, and sensitive data leakage via referrers.
**Learning:** The application relies on Caddy as a reverse proxy, and by default, Caddy doesn't automatically add these specific security headers unless explicitly configured.
**Prevention:** Ensure that reverse proxy configurations in new projects or updates to existing ones explicitly include essential HTTP security headers in a global scope to protect all served content.
+25 -19
View File
@@ -1,30 +1,36 @@
{ {
auto_https off auto_https off
admin off admin off
} }
:80 { :80 {
encode zstd gzip encode zstd gzip
handle /mcp { header {
reverse_proxy 127.0.0.1:3001 X-Frame-Options "SAMEORIGIN"
} X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
}
@app path / /api/* handle /mcp {
handle @app { reverse_proxy 127.0.0.1:3001
reverse_proxy 127.0.0.1:3000 }
}
handle { @app path / /api/*
root * /srv/public handle @app {
reverse_proxy 127.0.0.1:3000
}
@html path /index.html /d/* /p/* handle {
header @html Cache-Control "no-cache" root * /srv/public
@assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$ @html path /index.html /d/* /p/*
header @assets Cache-Control "public, max-age=31536000, immutable" header @html Cache-Control "no-cache"
try_files {path} /index.html @assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$
file_server header @assets Cache-Control "public, max-age=31536000, immutable"
}
try_files {path} /index.html
file_server
}
} }