feat: add http security headers to caddyfile
This commit is contained in:
@@ -0,0 +1,4 @@
|
|||||||
|
## 2024-06-06 - Missing HTTP Security Headers
|
||||||
|
**Vulnerability:** The Caddyfile configuration was missing standard HTTP security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy), leaving the application susceptible to clickjacking, MIME-type sniffing, and sensitive data leakage via referrers.
|
||||||
|
**Learning:** The application relies on Caddy as a reverse proxy, and by default, Caddy doesn't automatically add these specific security headers unless explicitly configured.
|
||||||
|
**Prevention:** Ensure that reverse proxy configurations in new projects or updates to existing ones explicitly include essential HTTP security headers in a global scope to protect all served content.
|
||||||
@@ -1,30 +1,36 @@
|
|||||||
{
|
{
|
||||||
auto_https off
|
auto_https off
|
||||||
admin off
|
admin off
|
||||||
}
|
}
|
||||||
|
|
||||||
:80 {
|
:80 {
|
||||||
encode zstd gzip
|
encode zstd gzip
|
||||||
|
|
||||||
handle /mcp {
|
header {
|
||||||
reverse_proxy 127.0.0.1:3001
|
X-Frame-Options "SAMEORIGIN"
|
||||||
}
|
X-Content-Type-Options "nosniff"
|
||||||
|
Referrer-Policy "strict-origin-when-cross-origin"
|
||||||
|
}
|
||||||
|
|
||||||
@app path / /api/*
|
handle /mcp {
|
||||||
handle @app {
|
reverse_proxy 127.0.0.1:3001
|
||||||
reverse_proxy 127.0.0.1:3000
|
}
|
||||||
}
|
|
||||||
|
|
||||||
handle {
|
@app path / /api/*
|
||||||
root * /srv/public
|
handle @app {
|
||||||
|
reverse_proxy 127.0.0.1:3000
|
||||||
|
}
|
||||||
|
|
||||||
@html path /index.html /d/* /p/*
|
handle {
|
||||||
header @html Cache-Control "no-cache"
|
root * /srv/public
|
||||||
|
|
||||||
@assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$
|
@html path /index.html /d/* /p/*
|
||||||
header @assets Cache-Control "public, max-age=31536000, immutable"
|
header @html Cache-Control "no-cache"
|
||||||
|
|
||||||
try_files {path} /index.html
|
@assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$
|
||||||
file_server
|
header @assets Cache-Control "public, max-age=31536000, immutable"
|
||||||
}
|
|
||||||
|
try_files {path} /index.html
|
||||||
|
file_server
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user