aboutsummaryrefslogtreecommitdiff
path: root/remarks/WR-025.txt
blob: c435803511f812fd863a268bc1c69fb78c3809bb (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Document: WR-025                                                 P. Webb
                                                              2026.06.17

                            Caddy hardening

Body

   With my recent launch[1], someone DM'd me about my site's security
   not being up to snuff. Back in my nginx days, I was obSESSED with
   getting a great score on `securityheaders.com`[2]. With Caddy, I
   threw all that out the window.

   Not anymore! This snippet inside your site blocks will give your
   Caddy site and A rating:

   ```
   header {
     #Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; worker-src 'self' blob:"
     Permissions-Policy "camera=(), geolocation=(), microphone=()"
     Referrer-Policy "strict-origin-when-cross-origin"
     Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
     X-Content-Type-Options "nosniff"
     X-Frame-Options "SAMEORIGIN"
     -Server
   }
   ```

   You'll notice the first line is commented out; this is because CSP is
   hella difficult to get right and you'll have to do a bit of trial and
   error to get your site 1) secure and 2) operational.

   Once you do (and not have `'unsafe-inline'` in `script-src`), you
   should have an A+ rating.

References

   [1] </WM-095>
   [2] <https://securityheaders.com>