Multiple headers middleware overwriting?

Traefik Traefik v2
,
1

Hi, I've discorded Traefik recently and so far has been a great tool! But to get into the main topic, I'm trying to define multiple "headers" middleware. Specifically:

  • One "global" that contains some security headers like HSTS, XSS-Protection, etc. Defined in a file provider
  • And another that contains the CSP header for a docker container (specific to that container)

In the Traefik dashboard they appear as if the two are enabled (and without errors), but on the requests only the last middleware takes place (even when they don't have common headers)

Here are my definition of the middlewares in a file:

    middlewares:
        # Other middlewares...
        secure-headers:
            headers:
                stsSeconds: 31536000                # Strict-Transport-Security
                stsIncludeSubdomains: true
                stsPreload: true
                browserXssFilter: true              # X-XSS-Protection
                frameDeny: true                     # X-Frame-Options
                featurePolicy: "vibrate 'none';"    # Feature-Policy header
                contentTypeNosniff: true            # X-Content-Type-Options
                referrerPolicy: "strict-origin-when-cross-origin"   # Referrer-Policy

And the labels for the specific container:

        labels:
            # Other labels ...

            # CSP headers
            - "traefik.http.middlewares.geoserver-csp-headers.headers.contentSecurityPolicy=img-src 'self'; script-src-elem 'self' 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'self'; report-uri https://xxxxxxxx.report-uri.com/r/d/csp/enforce"

            # Middleware
            - "traefik.http.routers.geoserver-secure.middlewares=secure-headers@file, geoserver-csp-headers@docker"
            #- "traefik.http.routers.geoserver-secure.middlewares=geoserver-csp-headers@docker,secure-headers@file"

I've tried changing the order of the middlewares and the same thing applies. Only the headers present in the last middleware are applied, the others are discarded.

I thought that this may be related to how i declared the list of middlewares in the docker labels, but on the documentation I see that they use the same syntax

  • "traefik.http.routers.router0.middlewares=foobar, foobar"

Also on the documentation of the middlewares I don't see anywhere that the middlewares overwrite each other. Can you guys help me out? I cant seem to find where the issue is as both middlewares seems to be declared correctly

Thanks,

2

For anyone experiencing the same issue, I've found a workaround, rewriting all the headers as customResponseHeaders. And with this achieve an A+ in secureheaders.io

    middlewares:
        secure-headers:
            headers:
                customResponseHeaders:
                    Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
                    Feature-Policy: "vibrate 'none'"
                    Referrer-Policy: "strict-origin-when-cross-origin"
                    Expect-CT: "max-age=0, report-uri='https://xxxxxxx.report-uri.com/r/d/ct/reportOnly'"
                    X-Content-Type-Options: "nosniff"
                    X-Xss-Protection: "1; mode=block"
                    X-Frame-Options: "DENY"

But I would really like to know if this is the intended mechanisim of the middlewares, As it doesn't seem that logic to me

Or at least a small warning in the middleware section of the documentation

3

There is also https://github.com/containous/traefik/issues/5538