Skip to content

Instantly share code, notes, and snippets.

@mholt mholt/Caddyfile forked from phred/Caddyfile
Created Mar 28, 2016

Embed
What would you like to do?
A+ grade on securityheaders.io with this: https://securityheaders.io/?q=https%3A%2F%2Ffff.red
fff.red {
header / {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Content-Security-Policy "default-src https:*"
Public-Key-Pins "pin-sha256=\"ckOIjdimiwD3mfMmkmCh7uiJCBtXvoqoBoKKB1K5UIM=\"; pin-sha256=\"QiTyymM4e635OgWkx9d7nq5xvEuqmgV7HiDjIIGyymo=\"; max-age=2592000"
X-Frame-Options SAMEORIGIN
X-XSS-Protection "1; mode=block"
X-Content-Type-Options nosniff
}
}

Securityheaders.io will guide you through smart values for these. My CSP should be tighter for sure.

Public Key Pinning was the only tricky bit, see this article for details: https://scotthelme.co.uk/hpkp-http-public-key-pinning/

Caddy certs & keys are stored in e.g. ~/.caddy/letsencrypt/sites/fff.red/.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.