Harden security headers


I wonder if anyone have a good set of security headers for a strict/secure middleware?

I found a few on the internet but they didn’t seem so up to date

Mozilla has a generator for a few headers (link). I would recommend to use yaml instead of toml and place redirect on entrypoint (not in every router), see simple Traefik example.

That's what I use for general purpose:

      headers:                    # set some security headers
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"
        customResponseHeaders:    # remove unnecessary headers which expose used server software
          server: ""
          x-powered-by: ""

I'd suggest setting Content-Security-Policy, Referrer-Policy, and Permissions-Policy individually depending on the need of the used software.