Главная Обзор Помощь
Вход
chiappa
/
irdb
зеркало из https://git.snix.ch/chiappa/irdb.git
1
0
Ответвить 0
Файлы Задачи 0
Дерево: 68121febe2
Ветки Метки
irdb
/
ui
/
docker
/
Caddyfile

Caddyfile 2.7 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. # FrankenPHP Caddyfile for the ui container.
    2. 

  2. # Serves Slim from public/ on :8080.
    3. 

  3. {
    4. 

  4.     frankenphp
    5. 

  5.     order php_server before file_server
    6. 

  6.     auto_https off
    7. 

  7.     admin off
    8. 

  8.     servers {
    9. 

  9.         trusted_proxies static private_ranges
    10. 

  10.     }
    11. 

  11. }
    12. 

  12. 

  13. :8080 {
    14. 

  14.     root * /app/public
    15. 

  15.     encode zstd gzip
    16. 

  16. 

  17.     # ── Security headers (M14) ──────────────────────────────────────────
    18. 

  18.     # CSP is set per-response by `App\Http\CspMiddleware` so the
    19. 

  19.     # `script-src 'nonce-…'` value can change per request, dropping
    20. 

  20.     # `'unsafe-inline'` / `'unsafe-eval'` (SEC_REVIEW F24).
    21. 

  21.     header {
    22. 

  22.         -Server
    23. 

  23.         -X-Powered-By
    24. 

  24.         X-Content-Type-Options "nosniff"
    25. 

  25.         X-Frame-Options "DENY"
    26. 

  26.         Referrer-Policy "strict-origin-when-cross-origin"
    27. 

  27.         Permissions-Policy "geolocation=(), microphone=(), camera=()"
    28. 

  28.         # SEC_REVIEW F59: modern cross-origin isolation headers.
    29. 

  29.         # - COOP `same-origin` isolates the browsing context from any
    30. 

  30.         #   popups it opens; a `window.opener.location = …` from a
    31. 

  31.         #   newly-spawned cross-origin tab can no longer reach back.
    32. 

  32.         # - CORP `same-origin` tells the browser this resource may
    33. 

  33.         #   only be loaded by same-origin documents (defeats sub-
    34. 

  34.         #   resource leaks via cross-origin <img>/<script>/<link>
    35. 

  35.         #   inclusion).
    36. 

  36.         # - X-Permitted-Cross-Domain-Policies `none` blocks legacy
    37. 

  37.         #   Adobe Flash / Acrobat cross-domain.xml lookups.
    38. 

  38.         # COEP `require-corp` is deliberately NOT set — that requires
    39. 

  39.         # every cross-origin resource (e.g. the jsDelivr-hosted
    40. 

  40.         # RapiDoc on /api/docs) to opt in via CORP, which we don't
    41. 

  41.         # control. We're only after the COOP/CORP/legacy-Flash
    42. 

  42.         # benefits the SEC_REVIEW called out.
    43. 

  43.         Cross-Origin-Opener-Policy "same-origin"
    44. 

  44.         Cross-Origin-Resource-Policy "same-origin"
    45. 

  45.         X-Permitted-Cross-Domain-Policies "none"
    46. 

  46.     }
    47. 

  47. 

  48.     # HSTS: prod-only (setting it in dev would lock you out of plain-HTTP
    49. 

  49.     # localhost on the same hostname for a year). The value is operator-
    50. 

  50.     # tuneable via the `HSTS_HEADER` env var so a deployment that wants
    51. 

  51.     # to apply for the browser preload list can opt in by setting:
    52. 

  52.     #     HSTS_HEADER="max-age=31536000; includeSubDomains; preload"
    53. 

  53.     # Default keeps the conservative no-preload value — preload-listing
    54. 

  54.     # is a one-way commitment (browser preload removals take months) so
    55. 

  55.     # we don't enable it by default (SEC_REVIEW F60).
    56. 

  56.     @prod expression `{env.APP_ENV} == "production"`
    57. 

  57.     header @prod Strict-Transport-Security "{$HSTS_HEADER:max-age=31536000; includeSubDomains}"
    58. 

  58. 

  59.     php_server
    60. 

  60. }
    61.