Add default security headers

2020-07-07 23:33:17 +02:00 · 2020-07-07 23:33:17 +02:00 · 04e2b73dcd
commit 04e2b73dcd
parent a01b9619ec
3 changed files with 64 additions and 0 deletions
--- a/templates/2.1/traefik-middleware-headers.yml.j2
+++ b/templates/2.1/traefik-middleware-headers.yml.j2
@ -0,0 +1,31 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+  namespace: {{ traefik_namespace }}
+spec:
+  headers:
+    browserXssFilter: "true"
+    contentTypeNosniff: "true"
+    forceSTSHeader: "true"
+    frameDeny = "true"
+    stsIncludeSubdomains: "true"
+    stsPreload: "true"
+    stsSeconds: "15768000"
+    sslRedirect: "true"
+    contentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
+    customFrameOptionsValue: "SAMEORIGIN"
+    referrerPolicy = "same-origin"
+    featurePolicy = "vibrate 'self'"
+
+    # CORS
+    accessControlAllowMethods:
+      - "GET"
+      - "OPTIONS"
+      - "PUT"
+    accessControlAllowOrigin = "origin-list-or-null"
+#    accessControlAllowOriginList:
+#      - "https://foo.bar.org"
+#      - "https://example.org"
+    accessControlMaxAge: 100
+    addVaryHeader: "true"
--- a/templates/2.2/traefik-middleware-headers.yml.j2
+++ b/templates/2.2/traefik-middleware-headers.yml.j2
@ -0,0 +1,31 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+  namespace: {{ traefik_namespace }}
+spec:
+  headers:
+    browserXssFilter: "true"
+    contentTypeNosniff: "true"
+    forceSTSHeader: "true"
+    frameDeny = "true"
+    stsIncludeSubdomains: "true"
+    stsPreload: "true"
+    stsSeconds: "15768000"
+    sslRedirect: "true"
+    contentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
+    customFrameOptionsValue: "SAMEORIGIN"
+    referrerPolicy = "same-origin"
+    featurePolicy = "vibrate 'self'"
+
+    # CORS
+    accessControlAllowMethods:
+      - "GET"
+      - "OPTIONS"
+      - "PUT"
+    accessControlAllowOrigin = "origin-list-or-null"
+#    accessControlAllowOriginList:
+#      - "https://foo.bar.org"
+#      - "https://example.org"
+    accessControlMaxAge: 100
+    addVaryHeader: "true"
--- a/vars/main.yml
+++ b/vars/main.yml
@ -34,6 +34,7 @@ traefik_2.1_list:
  - 2.1/traefik-dashboard-svc.yml.j2
  - 2.1/traefik-middleware-httpsredirect.yml.j2
  - 2.1/traefik-middleware-basicauth.yml.j2
+  - 2.1/traefik-middleware-headers.yml.j2
  - 2.1/traefik-tls-options.yml.j2
  - 2.1/traefik-dashboard.yml.j2
  - 2.1/traefik-dashboard-insecure.yml.j2
@ -57,6 +58,7 @@ traefik_2.2_list:
  - 2.2/traefik-dashboard-svc.yml.j2
  - 2.2/traefik-middleware-httpsredirect.yml.j2
  - 2.2/traefik-middleware-basicauth.yml.j2
+  - 2.2/traefik-middleware-headers.yml.j2
  - 2.2/traefik-tls-options.yml.j2
  - 2.2/traefik-dashboard.yml.j2
  - 2.2/traefik-dashboard-insecure.yml.j2