Sebastian Krüger
b420f1d4bf
Added security enhancements to Traefik reverse proxy: **TLS Security:** - Minimum TLS 1.2 enforced - Strong cipher suites (ECDHE, AES-GCM, ChaCha20) - Modern curve preferences (P-521, P-384) - SNI strict mode enabled **HTTP Security Headers:** - HSTS with 1-year max-age, includeSubdomains, and preload - X-Frame-Options: SAMEORIGIN (clickjacking protection) - X-XSS-Protection enabled - X-Content-Type-Options: nosniff - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy (disable camera, mic, geolocation, etc.) - X-Robots-Tag for SEO control **Rate Limiting Middlewares:** - General: 100 req/s average, 50 burst - API endpoints: 30 req/s average, 15 burst **Configuration:** - Enabled Traefik file provider for dynamic config - Security headers applied globally to web-secure entrypoint - Dynamic config in proxy/dynamic/security.yaml - Auto-reloads on config changes All HTTPS traffic now benefits from enhanced security headers. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>