Caddy version: 2.5.1
:
How I run Caddy: Using the official (alpine) Docker image.
Hello everyone,
I have just switched from NGINX to Caddy for an internal app and now I’m trying to make things better.
Specifically, I’m trying o set some security headers.
I had no problems with Strict-Transport-Security
but, I have no lack with Content-Security-Policy
.
I have added the directive to my Caddyfile
as below
staging.inforlife.ch {
reverse_proxy app:3000
header {
# enable HSTS
Strict-Transport-Security max-age=31536000;
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# Enable cross-site filter (XSS)
# and tell browser to block detected attacks
X-Frame-Options "Deny"
Content-Security-Policy "
default-src 'self';
style-src 'self';
script-src 'self';
font-src 'self';
img-src 'self';
form-action 'self';
connect-src 'self';
frame-ancestors 'none';
"
}
}
But it’s not picked up.
Am I missing anything here?
Thanks,
Sig