apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: security-headers
  namespace: {{ traefik_namespace }}
spec:
  headers:
    browserXssFilter: "true"
    contentTypeNosniff: "true"
    forceSTSHeader: "true"
    frameDeny = "true"
    stsIncludeSubdomains: "true"
    stsPreload: "true"
    stsSeconds: "15768000"
    sslRedirect: "true"
    contentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
    customFrameOptionsValue: "SAMEORIGIN"
    referrerPolicy = "same-origin"
    featurePolicy = "vibrate 'self'"

    # CORS
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
    accessControlAllowOrigin = "origin-list-or-null"
#    accessControlAllowOriginList:
#      - "https://foo.bar.org"
#      - "https://example.org"
    accessControlMaxAge: 100
    addVaryHeader: "true"