From c5266b3e2133d8b5b4d8912a6b5b0344e7387475 Mon Sep 17 00:00:00 2001
From: John in 't Hout <johnhout@gmail.com>
Date: Tue, 23 Feb 2021 12:57:46 +0100
Subject: [PATCH 1/3] Add headers for a more secure PWA.

Implement a few headers for the PWA to protect the application against Clickjacking and XSS attacks.
---
 api/docker/caddy/Caddyfile | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/api/docker/caddy/Caddyfile b/api/docker/caddy/Caddyfile
index 39fd55f5f65..ecaeb3d6f1c 100644
--- a/api/docker/caddy/Caddyfile
+++ b/api/docker/caddy/Caddyfile
@@ -47,6 +47,18 @@ route {
     # Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA)
     header ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"`
 
+    # Set headers for protection against XSS, clickjacking and MIME-sniffing.
+    header / {
+        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        Strict-Transport-Security "max-age=31536000;"
+        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+        X-XSS-Protection "1; mode=block"
+        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        X-Content-Type-Options "nosniff"
+        # Disallow the site to be rendered within a frame (clickjacking protection)
+        X-Frame-Options "DENY"
+    }
+    
     # Comment the following line if you don't want Next.js to catch requests for HTML documents.
     # In this case, they will be handled by the PHP app.
     reverse_proxy @pwa http://{$PWA_UPSTREAM}

From 1292c3e6eae43278be1aa4d04749be830ffd448f Mon Sep 17 00:00:00 2001
From: John in 't Hout <johnhout@gmail.com>
Date: Thu, 4 Mar 2021 11:41:57 +0100
Subject: [PATCH 2/3] Move the header above mercure link header

---
 api/docker/caddy/Caddyfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/api/docker/caddy/Caddyfile b/api/docker/caddy/Caddyfile
index ecaeb3d6f1c..00bc13cd6d3 100644
--- a/api/docker/caddy/Caddyfile
+++ b/api/docker/caddy/Caddyfile
@@ -44,9 +44,6 @@ route {
     vulcain
     push
 
-    # Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA)
-    header ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"`
-
     # Set headers for protection against XSS, clickjacking and MIME-sniffing.
     header / {
         # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
@@ -59,6 +56,9 @@ route {
         X-Frame-Options "DENY"
     }
     
+    # Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA)
+    header ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"`
+    
     # Comment the following line if you don't want Next.js to catch requests for HTML documents.
     # In this case, they will be handled by the PHP app.
     reverse_proxy @pwa http://{$PWA_UPSTREAM}

From 5c2bc01ca113745fd7bdc304eb2d2e56328db8ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= <dunglas@gmail.com>
Date: Tue, 16 Mar 2021 16:05:10 +0100
Subject: [PATCH 3/3] cleanup Caddyfile

---
 api/docker/caddy/Caddyfile | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/api/docker/caddy/Caddyfile b/api/docker/caddy/Caddyfile
index 00bc13cd6d3..f3b4474614b 100644
--- a/api/docker/caddy/Caddyfile
+++ b/api/docker/caddy/Caddyfile
@@ -44,10 +44,14 @@ route {
     vulcain
     push
 
-    # Set headers for protection against XSS, clickjacking and MIME-sniffing.
-    header / {
+    header {
+        # Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA)
+        ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"`
+
+        # Set security headers
+
         # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
-        Strict-Transport-Security "max-age=31536000;"
+        Strict-Transport-Security "max-age=31536000; preload"
         # Enable cross-site filter (XSS) and tell browser to block detected attacks
         X-XSS-Protection "1; mode=block"
         # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
@@ -55,10 +59,7 @@ route {
         # Disallow the site to be rendered within a frame (clickjacking protection)
         X-Frame-Options "DENY"
     }
-    
-    # Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA)
-    header ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"`
-    
+
     # Comment the following line if you don't want Next.js to catch requests for HTML documents.
     # In this case, they will be handled by the PHP app.
     reverse_proxy @pwa http://{$PWA_UPSTREAM}