fly-apps/static/Caddyfile

{
	# fly.io handles HTTPS for us
	auto_https off
}

http://static-mat-services.fly.dev {
	redir https://mat.services
}

:8080 {
	root * {$SITE_ROOT}
	encode gzip
	file_server

	handle_errors {
		@404 {
			expression {http.error.status_code} == 404
		}
		rewrite @404 /404.html
		file_server
	}

	log {
		output stdout
	}

	header {
		# disable FLoC tracking
		Permissions-Policy interest-cohort=()
		# enable HSTS
		# currently ramping up max-age as per https://hstspreload.org/
		Strict-Transport-Security max-age=2592000; includeSubDomains
		# disable clients from sniffing the media type
		X-Content-Type-Options nosniff
		# clickjacking protection
		X-Frame-Options DENY
		# keep referrer data off of HTTP connections
		Referrer-Policy no-referrer
		# content security policy
		# style-src 'unsafe-inline': syntax highlighting in codefences
		# sandbox allow-popups: enable target="_blank" links to open in new tabs
		Content-Security-Policy "default-src 'none';
      img-src 'self';
      style-src 'self' 'unsafe-inline';
      font-src 'self';
			script-src 'self';
      form-action 'none';
      frame-ancestors 'none';
      base-uri 'none';
      upgrade-insecure-requests;
      sandbox allow-same-origin allow-popups allow-popups-to-escape-sandbox"
	}

	# caching
	route {
		header /style/* Cache-Control max-age=31536000, immutable
		header /image/* Cache-Control max-age=31536000, immutable
		header /font/* Cache-Control max-age=31536000, immutable
		header Cache-Control max-age=180
	}
}
Add static site 2022-08-09 04:31:25 +00:00			`{`
Use SITE_ROOT 2022-08-28 18:57:10 +00:00			`# fly.io handles HTTPS for us`
			`auto_https off`
Add static site 2022-08-09 04:31:25 +00:00			`}`

Use SITE_ROOT 2022-08-28 18:57:10 +00:00			`http://static-mat-services.fly.dev {`
			`redir https://mat.services`
Add static site 2022-08-09 04:31:25 +00:00			`}`

			`:8080 {`
Use SITE_ROOT 2022-08-28 18:57:10 +00:00			`root * {$SITE_ROOT}`
			`encode gzip`
			`file_server`
Add 404 handler 2022-08-10 04:20:12 +00:00
Use SITE_ROOT 2022-08-28 18:57:10 +00:00			`handle_errors {`
			`@404 {`
			`expression {http.error.status_code} == 404`
			`}`
			`rewrite @404 /404.html`
			`file_server`
			`}`
Add headers to caddy 2022-08-13 04:48:18 +00:00
Use SITE_ROOT 2022-08-28 18:57:10 +00:00			`log {`
			`output stdout`
			`}`

			`header {`
			`# disable FLoC tracking`
			`Permissions-Policy interest-cohort=()`
			`# enable HSTS`
			`# currently ramping up max-age as per https://hstspreload.org/`
			`Strict-Transport-Security max-age=2592000; includeSubDomains`
			`# disable clients from sniffing the media type`
			`X-Content-Type-Options nosniff`
			`# clickjacking protection`
			`X-Frame-Options DENY`
			`# keep referrer data off of HTTP connections`
			`Referrer-Policy no-referrer`
			`# content security policy`
			`# style-src 'unsafe-inline': syntax highlighting in codefences`
			`# sandbox allow-popups: enable target="_blank" links to open in new tabs`
			`Content-Security-Policy "default-src 'none';`
Add headers to caddy 2022-08-13 04:48:18 +00:00			`img-src 'self';`
Use SITE_ROOT 2022-08-28 18:57:10 +00:00			`style-src 'self' 'unsafe-inline';`
			`font-src 'self';`
			`script-src 'self';`
Add form-action none 2022-08-13 05:12:32 +00:00			`form-action 'none';`
Add headers to caddy 2022-08-13 04:48:18 +00:00			`frame-ancestors 'none';`
			`base-uri 'none';`
			`upgrade-insecure-requests;`
Properly fix CSP popup settings 2022-08-14 13:14:39 +00:00			`sandbox allow-same-origin allow-popups allow-popups-to-escape-sandbox"`
Use SITE_ROOT 2022-08-28 18:57:10 +00:00			`}`
Add per route caching headers 2022-08-14 01:29:18 +00:00
Use SITE_ROOT 2022-08-28 18:57:10 +00:00			`# caching`
			`route {`
			`header /style/* Cache-Control max-age=31536000, immutable`
			`header /image/* Cache-Control max-age=31536000, immutable`
			`header /font/* Cache-Control max-age=31536000, immutable`
			`header Cache-Control max-age=180`
			`}`
Try new CSP 2022-08-13 12:41:56 +00:00			`}`