apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: security-headers
  namespace: {{ traefik_namespace }}
spec:
  headers:
    browserXssFilter: "true"
    contentTypeNosniff: "true"
    forceSTSHeader: "true"
    frameDeny: "true"
    stsIncludeSubdomains: "true"
    stsPreload: "true"
    stsSeconds: "15768000"
    sslRedirect: "true"
    contentSecurityPolicy: "default-src 'self' 'unsafe-inline'"
    customFrameOptionsValue: "SAMEORIGIN"
    referrerPolicy: "same-origin"
    featurePolicy: "vibrate 'self'"

    # CORS
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
    accessControlAllowOrigin: "origin-list-or-null"
    #accessControlAllowOriginList:
    #  - "https://foo.bar.org"
    #  - "https://example.org"
    accessControlMaxAge: 100
    addVaryHeader: "true"