Harden security headers

Traefik Traefik v3 (latest)
,
1

Hey..

I wonder if anyone have a good set of security headers for a strict/secure middleware?

I found a few on the internet but they didn’t seem so up to date

2

Mozilla has a generator for a few headers (link). I would recommend to use yaml instead of toml and place redirect on entrypoint (not in every router), see simple Traefik example.

3

That's what I use for general purpose:

http:
  middlewares:
    secHeaders:
      headers:                    # set some security headers
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"
        customResponseHeaders:    # remove unnecessary headers which expose used server software
          server: ""
          x-powered-by: ""

I'd suggest setting Content-Security-Policy, Referrer-Policy, and Permissions-Policy individually depending on the need of the used software.

4

question should this not be header instead of headers according to migration guide?

The Headers and HeadersRegexp matchers have been renamed to Header and HeaderRegexp respectively.

http:
  middlewares:
    secHeaders:
      header:                    # set some security header
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"
        customResponseHeaders:    # remove unnecessary headers which expose used server software
          server: ""
          x-powered-by: ""

I´m currently getting this Error also secHeaders is defined.

{"level":"error","entryPointName":"https","routerName":"portainer@docker","error":"middleware \"secHeaders@file\" does not exist","time":"2025-03-08T09:23:56+01:00"}

label:

     # Middlewares applied in order: authelia (from Docker), ratelimit, compress, secHeaders (from file)
      - 'traefik.http.middlewares.portainer=authelia@docker,ratelimit@file,compress@file,secHeaders@file'
5

Hi @Rar9,

no, the middleware ist still called headers, see Traefik Headers Documentation - Traefik (there are plenty of "File (YAML)" examples). So, writing header: will cause an invalid middleware configuration.

I think you're referring to Traefik Routers Documentation - Traefik - that's a different thing.