Skip to content

Instantly share code, notes, and snippets.

@phred

phred/Caddyfile

Created March 28, 2016 18:41
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save phred/ca54aab51de0f47efe3c to your computer and use it in GitHub Desktop.
Save phred/ca54aab51de0f47efe3c to your computer and use it in GitHub Desktop.
Download ZIP
A+ grade on securityheaders.io with this: https://securityheaders.io/?q=https%3A%2F%2Ffff.red
Raw
Caddyfile
fff.red {
header / {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Content-Security-Policy "default-src https:*"
Public-Key-Pins "pin-sha256=\"ckOIjdimiwD3mfMmkmCh7uiJCBtXvoqoBoKKB1K5UIM=\"; pin-sha256=\"QiTyymM4e635OgWkx9d7nq5xvEuqmgV7HiDjIIGyymo=\"; max-age=2592000"
X-Frame-Options SAMEORIGIN
X-XSS-Protection "1; mode=block"
X-Content-Type-Options nosniff
}
}
Raw
notes.md

Securityheaders.io will guide you through smart values for these. My CSP should be tighter for sure.

Public Key Pinning was the only tricky bit, see this article for details: https://scotthelme.co.uk/hpkp-http-public-key-pinning/

Caddy certs & keys are stored in e.g. ~/.caddy/letsencrypt/sites/fff.red/.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment