From cea275f8e81f7b81deacc01b65ccf27713e4cfd4 Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Mon, 17 Jan 2022 10:50:27 +0100
Subject: [PATCH] caddy: add privacy and security headers

---
 Caddyfile          | 18 ++++++++++++++++++
 docker-compose.yml |  3 +++
 2 files changed, 21 insertions(+)

diff --git a/Caddyfile b/Caddyfile
index 57c6b55..aae52d6 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -24,3 +24,21 @@ miom.space {
 www.miom.space {
         redir https://miom.space{uri}
 }
+
+# security and privacy headers
+header {
+	# disable FLoC tracking
+	Permissions-Policy interest-cohort=()
+
+	# enable HSTS
+	Strict-Transport-Security max-age=63072000;
+
+	# disable clients from sniffing the media type
+	X-Content-Type-Options nosniff
+
+	# clickjacking protection
+	X-Frame-Options DENY
+
+	# keep referrer data off of HTTP connections
+	Referrer-Policy no-referrer-when-downgrade
+}
diff --git a/docker-compose.yml b/docker-compose.yml
index 2a07b17..ff8b9d5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,9 +12,12 @@ services:
       - caddy_data:/data
     labels:
       - triton.cns.services=miom-website
+      - "com.docker.swarm.affinities=[\"volumename==miomspace_caddy_data\"]"
 
 volumes:
   caddy_data:
+    external: true
+    name: miomspace_caddy_data
     driver: tritonnfs
     driver_opts:
       size: "1G"