-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCaddyfile
79 lines (78 loc) · 2.36 KB
/
Caddyfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-FileCopyrightText: 2024 JWP Consulting GK
{
admin off
}
# Helpful links for Caddy security headers
# https://github.com/jpcaparas/caddy-csp/blob/f241472610a5a4e4f8d74e0976120bbb2cca84cc/Caddyfile
# https://paulbradley.dev/caddyfile-web-security-headers/
(frontend_headers) {
# We need to relax the CSP a bit, since Svelte has some inline js.
# Compared to backend_headers, we removed default-src and script-src
# Furthermore, we have to make sure we don't override any CSP headers
# Should SvelteKit with adapter-node decide to return a header itself
# We have to relax style-src here as well, in case of a page transition
# from landing (prerendered) to dashboard (ssr/csr)
# Refer to
# See https://github.com/sveltejs/kit/issues/11747 and
# https://kit.svelte.dev/docs/configuration
header ?Content-Security-Policy "
style-src 'self' 'unsafe-inline';
font-src 'self';
img-src 'self' blob: res.cloudinary.com;
form-action 'self';
connect-src 'self';
frame-ancestors 'none';
object-src 'self';
base-uri 'self';
"
}
(backend_headers) {
# The backend is locked down more
header {
Content-Security-Policy "
default-src 'self';
style-src 'self';
script-src 'self';
font-src 'self';
img-src 'self' res.cloudinary.com;
form-action 'self';
connect-src 'self';
frame-ancestors 'none';
object-src 'self';
base-uri 'self';
"
# TODO add default-src 'none', at least as a report directive
}
}
# The additional host requires setting the port within the variable.
# The idea is to avoid accidentally leaving out $ADDITIONAL_HOST and then
# having a stranded ":" there, if we instead write
# {$ADDITIONAL_HOST}:{$ADDITIONAL_PORT}
{$HOST:invalid}:{$PORT:invalid} {$ADDITIONAL_HOST} {
header {
X-Frame-Options DENY
Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
X-Content-Type-Options nosniff
}
handle /admin/* {
import backend_headers
reverse_proxy {$BACKEND_HOST}:{$BACKEND_PORT}
}
handle /static/django/* {
import backend_headers
reverse_proxy {$BACKEND_HOST}:{$BACKEND_PORT}
}
handle /ws/* {
import backend_headers
reverse_proxy {$BACKEND_HOST}:{$BACKEND_PORT}
}
handle_path /api/* {
import backend_headers
reverse_proxy {$BACKEND_HOST}:{$BACKEND_PORT}
}
handle /* {
import frontend_headers
reverse_proxy {$FRONTEND_HOST}:{$FRONTEND_PORT}
}
}