-
-
Save mholt/f06e456b85fa282f3373 to your computer and use it in GitHub Desktop.
Revisions
-
phred created this gist
Mar 28, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,10 @@ fff.red { header / { Strict-Transport-Security "max-age=31536000; includeSubDomains" Content-Security-Policy "default-src https:*" Public-Key-Pins "pin-sha256=\"ckOIjdimiwD3mfMmkmCh7uiJCBtXvoqoBoKKB1K5UIM=\"; pin-sha256=\"QiTyymM4e635OgWkx9d7nq5xvEuqmgV7HiDjIIGyymo=\"; max-age=2592000" X-Frame-Options SAMEORIGIN X-XSS-Protection "1; mode=block" X-Content-Type-Options nosniff } } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,6 @@ Securityheaders.io will guide you through smart values for these. My CSP should be tighter for sure. Public Key Pinning was the only tricky bit, see this article for details: <https://scotthelme.co.uk/hpkp-http-public-key-pinning/> Caddy certs & keys are stored in e.g. `~/.caddy/letsencrypt/sites/fff.red/`.