| fff.red { | |
| header / { | |
| Strict-Transport-Security "max-age=31536000; includeSubDomains" | |
| Content-Security-Policy "default-src https:*" | |
| Public-Key-Pins "pin-sha256=\"ckOIjdimiwD3mfMmkmCh7uiJCBtXvoqoBoKKB1K5UIM=\"; pin-sha256=\"QiTyymM4e635OgWkx9d7nq5xvEuqmgV7HiDjIIGyymo=\"; max-age=2592000" | |
| X-Frame-Options SAMEORIGIN | |
| X-XSS-Protection "1; mode=block" | |
| X-Content-Type-Options nosniff | |
| } | |
| } |
Securityheaders.io will guide you through smart values for these. My CSP should be tighter for sure.
Public Key Pinning was the only tricky bit, see this article for details: https://scotthelme.co.uk/hpkp-http-public-key-pinning/
Caddy certs & keys are stored in e.g. ~/.caddy/letsencrypt/sites/fff.red/.