adrien/ansible-role-k8s-traefik
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add default security headers
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2020-07-07 23:33:17 +02:00
parent a01b9619ec
commit 04e2b73dcd
3 changed files with 64 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

31
templates/2.1/traefik-middleware-headers.yml.j2 Normal file
View file

@ -0,0 +1,31 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: security-headers
namespace: {{ traefik_namespace }}
spec:
headers:
browserXssFilter: "true"
contentTypeNosniff: "true"
forceSTSHeader: "true"
frameDeny = "true"
stsIncludeSubdomains: "true"
stsPreload: "true"
stsSeconds: "15768000"
sslRedirect: "true"
contentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
customFrameOptionsValue: "SAMEORIGIN"
referrerPolicy = "same-origin"
featurePolicy = "vibrate 'self'"
# CORS
accessControlAllowMethods:
- "GET"
- "OPTIONS"
- "PUT"
accessControlAllowOrigin = "origin-list-or-null"
# accessControlAllowOriginList:
# - "https://foo.bar.org"
# - "https://example.org"
accessControlMaxAge: 100
addVaryHeader: "true"

31
templates/2.2/traefik-middleware-headers.yml.j2 Normal file
View file

@ -0,0 +1,31 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: security-headers
namespace: {{ traefik_namespace }}
spec:
headers:
browserXssFilter: "true"
contentTypeNosniff: "true"
forceSTSHeader: "true"
frameDeny = "true"
stsIncludeSubdomains: "true"
stsPreload: "true"
stsSeconds: "15768000"
sslRedirect: "true"
contentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
customFrameOptionsValue: "SAMEORIGIN"
referrerPolicy = "same-origin"
featurePolicy = "vibrate 'self'"
# CORS
accessControlAllowMethods:
- "GET"
- "OPTIONS"
- "PUT"
accessControlAllowOrigin = "origin-list-or-null"
# accessControlAllowOriginList:
# - "https://foo.bar.org"
# - "https://example.org"
accessControlMaxAge: 100
addVaryHeader: "true"

2
vars/main.yml
View file

@ -34,6 +34,7 @@ traefik_2.1_list:
- 2.1/traefik-dashboard-svc.yml.j2 - 2.1/traefik-dashboard-svc.yml.j2
- 2.1/traefik-middleware-httpsredirect.yml.j2 - 2.1/traefik-middleware-httpsredirect.yml.j2
- 2.1/traefik-middleware-basicauth.yml.j2 - 2.1/traefik-middleware-basicauth.yml.j2
- 2.1/traefik-middleware-headers.yml.j2
- 2.1/traefik-tls-options.yml.j2 - 2.1/traefik-tls-options.yml.j2
- 2.1/traefik-dashboard.yml.j2 - 2.1/traefik-dashboard.yml.j2
- 2.1/traefik-dashboard-insecure.yml.j2 - 2.1/traefik-dashboard-insecure.yml.j2
@ -57,6 +58,7 @@ traefik_2.2_list:
- 2.2/traefik-dashboard-svc.yml.j2 - 2.2/traefik-dashboard-svc.yml.j2
- 2.2/traefik-middleware-httpsredirect.yml.j2 - 2.2/traefik-middleware-httpsredirect.yml.j2
- 2.2/traefik-middleware-basicauth.yml.j2 - 2.2/traefik-middleware-basicauth.yml.j2
- 2.2/traefik-middleware-headers.yml.j2
- 2.2/traefik-tls-options.yml.j2 - 2.2/traefik-tls-options.yml.j2
- 2.2/traefik-dashboard.yml.j2 - 2.2/traefik-dashboard.yml.j2
- 2.2/traefik-dashboard-insecure.yml.j2 - 2.2/traefik-dashboard-insecure.yml.j2