From 48964a7abab420774a4ac33318c69ce889524c3c Mon Sep 17 00:00:00 2001 From: Jean Froment Date: Fri, 23 Oct 2020 17:54:26 +0200 Subject: [PATCH 1/4] Test hardened TLS headers --- docker-compose.yml | 1 + traefik/custom/middlewares.yaml | 15 ++++++++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 13731e5..e06464d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,6 +15,7 @@ services: - ./traefik:/etc/traefik:ro - configtraefik:/config:ro environment: + - TRAEFIK_DOMAIN=${TRAEFIK_DOMAIN} - TZ=${TZ} labels: - "traefik.enable=true" diff --git a/traefik/custom/middlewares.yaml b/traefik/custom/middlewares.yaml index ceff042..3c400fe 100644 --- a/traefik/custom/middlewares.yaml +++ b/traefik/custom/middlewares.yaml @@ -5,9 +5,18 @@ http: usersFile: "/etc/traefik/http_auth" security-headers: headers: + forceSTSHeader: true + stsIncludeSubdomains: true + stsSeconds: 31536000 + + sslRedirect: true + sslForceHost: true + sslHost: '{{env "TRAEFIK_DOMAIN"}}' + + contentSecurityPolicy: "script-src 'self'; img-src 'self'" + referrerPolicy: "same-origin" + featurePolicy: "vibrate 'self'; geolocation 'self'; midi 'self'; notifications 'self'; push 'self'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'self'; fullscreen 'self'" + frameDeny: true contentTypeNosniff: true browserXssFilter: true - forceSTSHeader: true - stsIncludeSubdomains: true - stsSeconds: 31536000 \ No newline at end of file From a78c0de207aaca0529bd5034ce7cc6a187d1f7de Mon Sep 17 00:00:00 2001 From: Jean Froment Date: Fri, 23 Oct 2020 17:58:09 +0200 Subject: [PATCH 2/4] Fix SSLHost --- traefik/custom/middlewares.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/traefik/custom/middlewares.yaml b/traefik/custom/middlewares.yaml index 3c400fe..b28e40b 100644 --- a/traefik/custom/middlewares.yaml +++ b/traefik/custom/middlewares.yaml @@ -11,7 +11,7 @@ http: sslRedirect: true sslForceHost: true - sslHost: '{{env "TRAEFIK_DOMAIN"}}' + sslHost: '*.{{env "TRAEFIK_DOMAIN"}}' contentSecurityPolicy: "script-src 'self'; img-src 'self'" referrerPolicy: "same-origin" From b6be84c98c82b7b8285a080b1a18c74980901dd9 Mon Sep 17 00:00:00 2001 From: Jean Froment Date: Fri, 23 Oct 2020 17:59:04 +0200 Subject: [PATCH 3/4] Remove some SSL headers --- traefik/custom/middlewares.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/traefik/custom/middlewares.yaml b/traefik/custom/middlewares.yaml index b28e40b..ae9f623 100644 --- a/traefik/custom/middlewares.yaml +++ b/traefik/custom/middlewares.yaml @@ -9,10 +9,6 @@ http: stsIncludeSubdomains: true stsSeconds: 31536000 - sslRedirect: true - sslForceHost: true - sslHost: '*.{{env "TRAEFIK_DOMAIN"}}' - contentSecurityPolicy: "script-src 'self'; img-src 'self'" referrerPolicy: "same-origin" featurePolicy: "vibrate 'self'; geolocation 'self'; midi 'self'; notifications 'self'; push 'self'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'self'; fullscreen 'self'" From df5b88fe40eaed72c6023fdba313d042fb5e5401 Mon Sep 17 00:00:00 2001 From: Jean Froment Date: Fri, 23 Oct 2020 18:00:51 +0200 Subject: [PATCH 4/4] Remove some header --- traefik/custom/middlewares.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/traefik/custom/middlewares.yaml b/traefik/custom/middlewares.yaml index ae9f623..da09072 100644 --- a/traefik/custom/middlewares.yaml +++ b/traefik/custom/middlewares.yaml @@ -9,7 +9,6 @@ http: stsIncludeSubdomains: true stsSeconds: 31536000 - contentSecurityPolicy: "script-src 'self'; img-src 'self'" referrerPolicy: "same-origin" featurePolicy: "vibrate 'self'; geolocation 'self'; midi 'self'; notifications 'self'; push 'self'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'self'; fullscreen 'self'"