diff options
| author | netop://ウィビ <paul@webb.page> | 2026-06-17 11:09:07 -0700 |
|---|---|---|
| committer | netop://ウィビ <paul@webb.page> | 2026-06-17 11:09:07 -0700 |
| commit | 48ed93e67dbbf85fa5777b970d2cf324663a77e7 (patch) | |
| tree | 1ad849a447915c313103795f884920bbf14c9bad | |
| parent | 41acb374d2c934bda4178bf37290835b7ada6c52 (diff) | |
| download | blog-48ed93e67dbbf85fa5777b970d2cf324663a77e7.tar.gz blog-48ed93e67dbbf85fa5777b970d2cf324663a77e7.zip | |
adds new remark
| -rw-r--r-- | remarks/WR-025.txt | 45 | ||||
| -rw-r--r-- | version.txt | 2 |
2 files changed, 46 insertions, 1 deletions
diff --git a/remarks/WR-025.txt b/remarks/WR-025.txt new file mode 100644 index 0000000..c435803 --- /dev/null +++ b/remarks/WR-025.txt @@ -0,0 +1,45 @@ + + + + + + + +Document: WR-025 P. Webb + 2026.06.17 + + Caddy hardening + +Body + + With my recent launch[1], someone DM'd me about my site's security + not being up to snuff. Back in my nginx days, I was obSESSED with + getting a great score on `securityheaders.com`[2]. With Caddy, I + threw all that out the window. + + Not anymore! This snippet inside your site blocks will give your + Caddy site and A rating: + + ``` + header { + #Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; worker-src 'self' blob:" + Permissions-Policy "camera=(), geolocation=(), microphone=()" + Referrer-Policy "strict-origin-when-cross-origin" + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + X-Content-Type-Options "nosniff" + X-Frame-Options "SAMEORIGIN" + -Server + } + ``` + + You'll notice the first line is commented out; this is because CSP is + hella difficult to get right and you'll have to do a bit of trial and + error to get your site 1) secure and 2) operational. + + Once you do (and not have `'unsafe-inline'` in `script-src`), you + should have an A+ rating. + +References + + [1] </WM-095> + [2] <https://securityheaders.com> diff --git a/version.txt b/version.txt index 2cd1919..8ba12c0 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -2026.06.16
\ No newline at end of file +2026.06.17
\ No newline at end of file |