blob: c435803511f812fd863a268bc1c69fb78c3809bb (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
Document: WR-025 P. Webb
2026.06.17
Caddy hardening
Body
With my recent launch[1], someone DM'd me about my site's security
not being up to snuff. Back in my nginx days, I was obSESSED with
getting a great score on `securityheaders.com`[2]. With Caddy, I
threw all that out the window.
Not anymore! This snippet inside your site blocks will give your
Caddy site and A rating:
```
header {
#Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; worker-src 'self' blob:"
Permissions-Policy "camera=(), geolocation=(), microphone=()"
Referrer-Policy "strict-origin-when-cross-origin"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
-Server
}
```
You'll notice the first line is commented out; this is because CSP is
hella difficult to get right and you'll have to do a bit of trial and
error to get your site 1) secure and 2) operational.
Once you do (and not have `'unsafe-inline'` in `script-src`), you
should have an A+ rating.
References
[1] </WM-095>
[2] <https://securityheaders.com>
|