tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true

http:
  middlewares:
    # Security Headers Middleware
    security-headers:
      headers:
        # HSTS (HTTP Strict Transport Security)
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true

        # Force HTTPS
        forceSTSHeader: true

        # Clickjacking protection
        customFrameOptionsValue: "SAMEORIGIN"

        # XSS Protection
        browserXssFilter: true

        # Content Type sniffing protection
        contentTypeNosniff: true

        # Referrer Policy
        referrerPolicy: "strict-origin-when-cross-origin"

        # Permissions Policy (formerly Feature Policy)
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          Permissions-Policy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()"
          X-Content-Type-Options: "nosniff"
          X-Frame-Options: "SAMEORIGIN"

    # Rate Limiting Middleware (optional, can be applied per service)
    rate-limit:
      rateLimit:
        average: 100
        burst: 50
        period: 1s

    # Rate Limiting for API endpoints (stricter)
    api-rate-limit:
      rateLimit:
        average: 30
        burst: 15
        period: 1s