From 04e2b73dcdf64ba33cd8be0a35b6e3505852a933 Mon Sep 17 00:00:00 2001
From: Adrien <adrien@reslinger.net>
Date: Tue, 7 Jul 2020 23:33:17 +0200
Subject: [PATCH] Add default security headers

---
 .../2.1/traefik-middleware-headers.yml.j2     | 31 +++++++++++++++++++
 .../2.2/traefik-middleware-headers.yml.j2     | 31 +++++++++++++++++++
 vars/main.yml                                 |  2 ++
 3 files changed, 64 insertions(+)
 create mode 100644 templates/2.1/traefik-middleware-headers.yml.j2
 create mode 100644 templates/2.2/traefik-middleware-headers.yml.j2

diff --git a/templates/2.1/traefik-middleware-headers.yml.j2 b/templates/2.1/traefik-middleware-headers.yml.j2
new file mode 100644
index 0000000..e0906fb
--- /dev/null
+++ b/templates/2.1/traefik-middleware-headers.yml.j2
@@ -0,0 +1,31 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+  namespace: {{ traefik_namespace }}
+spec:
+  headers:
+    browserXssFilter: "true"
+    contentTypeNosniff: "true"
+    forceSTSHeader: "true"
+    frameDeny = "true"
+    stsIncludeSubdomains: "true"
+    stsPreload: "true"
+    stsSeconds: "15768000"
+    sslRedirect: "true"
+    contentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
+    customFrameOptionsValue: "SAMEORIGIN"
+    referrerPolicy = "same-origin"
+    featurePolicy = "vibrate 'self'"
+
+    # CORS
+    accessControlAllowMethods:
+      - "GET"
+      - "OPTIONS"
+      - "PUT"
+    accessControlAllowOrigin = "origin-list-or-null"
+#    accessControlAllowOriginList:
+#      - "https://foo.bar.org"
+#      - "https://example.org"
+    accessControlMaxAge: 100
+    addVaryHeader: "true"
\ No newline at end of file
diff --git a/templates/2.2/traefik-middleware-headers.yml.j2 b/templates/2.2/traefik-middleware-headers.yml.j2
new file mode 100644
index 0000000..e0906fb
--- /dev/null
+++ b/templates/2.2/traefik-middleware-headers.yml.j2
@@ -0,0 +1,31 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+  namespace: {{ traefik_namespace }}
+spec:
+  headers:
+    browserXssFilter: "true"
+    contentTypeNosniff: "true"
+    forceSTSHeader: "true"
+    frameDeny = "true"
+    stsIncludeSubdomains: "true"
+    stsPreload: "true"
+    stsSeconds: "15768000"
+    sslRedirect: "true"
+    contentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
+    customFrameOptionsValue: "SAMEORIGIN"
+    referrerPolicy = "same-origin"
+    featurePolicy = "vibrate 'self'"
+
+    # CORS
+    accessControlAllowMethods:
+      - "GET"
+      - "OPTIONS"
+      - "PUT"
+    accessControlAllowOrigin = "origin-list-or-null"
+#    accessControlAllowOriginList:
+#      - "https://foo.bar.org"
+#      - "https://example.org"
+    accessControlMaxAge: 100
+    addVaryHeader: "true"
\ No newline at end of file
diff --git a/vars/main.yml b/vars/main.yml
index e1d58f4..dda7180 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -34,6 +34,7 @@ traefik_2.1_list:
   - 2.1/traefik-dashboard-svc.yml.j2
   - 2.1/traefik-middleware-httpsredirect.yml.j2
   - 2.1/traefik-middleware-basicauth.yml.j2
+  - 2.1/traefik-middleware-headers.yml.j2
   - 2.1/traefik-tls-options.yml.j2
   - 2.1/traefik-dashboard.yml.j2
   - 2.1/traefik-dashboard-insecure.yml.j2
@@ -57,6 +58,7 @@ traefik_2.2_list:
   - 2.2/traefik-dashboard-svc.yml.j2
   - 2.2/traefik-middleware-httpsredirect.yml.j2
   - 2.2/traefik-middleware-basicauth.yml.j2
+  - 2.2/traefik-middleware-headers.yml.j2
   - 2.2/traefik-tls-options.yml.j2
   - 2.2/traefik-dashboard.yml.j2
   - 2.2/traefik-dashboard-insecure.yml.j2