-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCaddyfile
More file actions
43 lines (36 loc) · 1.73 KB
/
Copy pathCaddyfile
File metadata and controls
43 lines (36 loc) · 1.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Caddyfile — automatic HTTPS via Let's Encrypt.
# Set the DOMAIN environment variable to your public hostname before deploying,
# e.g. DOMAIN=myapp.example.com in your .env file.
#
# For local testing without a real domain, replace {$DOMAIN} with "localhost"
# and Caddy will use a self-signed certificate.
{$DOMAIN:localhost} {
# API traffic → FastAPI backend
handle /api/* {
reverse_proxy backend:8000
}
# Everything else → React frontend (served by nginx)
handle {
reverse_proxy frontend:80
}
# Security headers
header {
# Force HTTPS for 1 year and include sub-domains
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Content Security Policy
# - script/default from same origin only (CRA bundles everything)
# - unsafe-inline needed for React inline style attributes
# - connect-src 'self': all API calls are same-origin (proxied by Caddy)
Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self'; font-src 'self' data:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; object-src 'none'"
# Disable browser features the app does not use
Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "strict-origin-when-cross-origin"
Cross-Origin-Opener-Policy "same-origin"
Cross-Origin-Resource-Policy "same-origin"
# Remove fingerprinting headers
-Server
-X-Powered-By
}
}