fix(security): add HTTP security headers (CSP, HSTS, X-Frame-Options)

- middleware.ts: set X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy on all responses - Caddyfile: add Strict-Transport-Security (HSTS 1y), X-Frame-Options, X-Content-Type-Options at reverse proxy level
2026-05-19 10:10:05 +02:00
parent 2a6c3a1222
commit 0395a78008
2 changed files with 13 additions and 0 deletions
@@ -1,4 +1,9 @@
 localhost {
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        X-Frame-Options "DENY"
+        X-Content-Type-Options "nosniff"
+    }
    handle /uploads/* {
        root * /srv
        file_server