Skip to content

Instantly share code, notes, and snippets.



Forked from phred/Caddyfile
Created Mar 28, 2016
What would you like to do?
A+ grade on with this: {
header / {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Content-Security-Policy "default-src https:*"
Public-Key-Pins "pin-sha256=\"ckOIjdimiwD3mfMmkmCh7uiJCBtXvoqoBoKKB1K5UIM=\"; pin-sha256=\"QiTyymM4e635OgWkx9d7nq5xvEuqmgV7HiDjIIGyymo=\"; max-age=2592000"
X-Frame-Options SAMEORIGIN
X-XSS-Protection "1; mode=block"
X-Content-Type-Options nosniff
} will guide you through smart values for these. My CSP should be tighter for sure.

Public Key Pinning was the only tricky bit, see this article for details:

Caddy certs & keys are stored in e.g. ~/.caddy/letsencrypt/sites/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment