proxy/dynamic/security.yaml

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true

http:
  middlewares:
    # Security Headers Middleware
    security-headers:
      headers:
        # HSTS (HTTP Strict Transport Security)
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true

        # Force HTTPS
        forceSTSHeader: true

        # Clickjacking protection
        customFrameOptionsValue: "SAMEORIGIN"

        # XSS Protection
        browserXssFilter: true

        # Content Type sniffing protection
        contentTypeNosniff: true

        # Referrer Policy
        referrerPolicy: "strict-origin-when-cross-origin"

        # Permissions Policy (formerly Feature Policy)
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          Permissions-Policy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()"
          X-Content-Type-Options: "nosniff"
          X-Frame-Options: "SAMEORIGIN"

    # Rate Limiting Middleware (optional, can be applied per service)
    rate-limit:
      rateLimit:
        average: 100
        burst: 50
        period: 1s

    # Rate Limiting for API endpoints (stricter)
    api-rate-limit:
      rateLimit:
        average: 30
        burst: 15
        period: 1s
feat: add comprehensive Traefik security hardening Added security enhancements to Traefik reverse proxy: TLS Security: - Minimum TLS 1.2 enforced - Strong cipher suites (ECDHE, AES-GCM, ChaCha20) - Modern curve preferences (P-521, P-384) - SNI strict mode enabled HTTP Security Headers: - HSTS with 1-year max-age, includeSubdomains, and preload - X-Frame-Options: SAMEORIGIN (clickjacking protection) - X-XSS-Protection enabled - X-Content-Type-Options: nosniff - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy (disable camera, mic, geolocation, etc.) - X-Robots-Tag for SEO control Rate Limiting Middlewares: - General: 100 req/s average, 50 burst - API endpoints: 30 req/s average, 15 burst Configuration: - Enabled Traefik file provider for dynamic config - Security headers applied globally to web-secure entrypoint - Dynamic config in proxy/dynamic/security.yaml - Auto-reloads on config changes All HTTPS traffic now benefits from enhanced security headers. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-04 23:20:34 +01:00			`tls:`
			`options:`
			`default:`
			`minVersion: VersionTLS12`
			`cipherSuites:`
			`- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
			`- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
			`- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`
			`- TLS_AES_128_GCM_SHA256`
			`- TLS_AES_256_GCM_SHA384`
			`- TLS_CHACHA20_POLY1305_SHA256`
			`curvePreferences:`
			`- CurveP521`
			`- CurveP384`
			`sniStrict: true`

			`http:`
			`middlewares:`
			`# Security Headers Middleware`
			`security-headers:`
			`headers:`
			`# HSTS (HTTP Strict Transport Security)`
			`stsSeconds: 31536000`
			`stsIncludeSubdomains: true`
			`stsPreload: true`

			`# Force HTTPS`
			`forceSTSHeader: true`

			`# Clickjacking protection`
			`customFrameOptionsValue: "SAMEORIGIN"`

			`# XSS Protection`
			`browserXssFilter: true`

			`# Content Type sniffing protection`
			`contentTypeNosniff: true`

			`# Referrer Policy`
			`referrerPolicy: "strict-origin-when-cross-origin"`

			`# Permissions Policy (formerly Feature Policy)`
			`customResponseHeaders:`
			`X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"`
			`Permissions-Policy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()"`
			`X-Content-Type-Options: "nosniff"`
			`X-Frame-Options: "SAMEORIGIN"`

			`# Rate Limiting Middleware (optional, can be applied per service)`
			`rate-limit:`
			`rateLimit:`
			`average: 100`
			`burst: 50`
			`period: 1s`

			`# Rate Limiting for API endpoints (stricter)`
			`api-rate-limit:`
			`rateLimit:`
			`average: 30`
			`burst: 15`
			`period: 1s`