Hey..
I wonder if anyone have a good set of security headers for a strict/secure middleware?
I found a few on the internet but they didn’t seem so up to date
Mozilla has a generator for a few headers (link). I would recommend to use yaml instead of toml and place redirect on entrypoint (not in every router), see simple Traefik example.
That's what I use for general purpose:
http:
middlewares:
secHeaders:
headers: # set some security headers
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customFrameOptionsValue: "SAMEORIGIN"
customResponseHeaders: # remove unnecessary headers which expose used server software
server: ""
x-powered-by: ""
I'd suggest setting Content-Security-Policy, Referrer-Policy, and Permissions-Policy individually depending on the need of the used software.