Update docker/resume/Caddyfile

2025-03-31 00:14:49 -04:00 · 2025-03-31 00:14:49 -04:00 · 2e9c196d8a
parent 12f3ca9a3b
commit 2e9c196d8a
1 changed files with 4 additions and 4 deletions
--- a/docker/resume/Caddyfile
+++ b/docker/resume/Caddyfile
@ -6,15 +6,15 @@
    # Security headers
    header {
        # HSTS
-        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        
        # Basic security headers
-        X-Frame-Options "SAMEORIGIN"
+        X-Frame-Options "DENY"
        X-Content-Type-Options "nosniff"
        Referrer-Policy "strict-origin-when-cross-origin"
        
        # Permissions policy
-        Permissions-Policy "camera=(), microphone=(), geolocation=(), accelerometer=(), gyroscope=(), magnetometer=(), payment=(), usb=()"
+        Permissions-Policy "geolocation=(), microphone=(), camera=()"
        
        # Cross-origin isolation headers
        Cross-Origin-Embedder-Policy "require-corp"
@ -22,7 +22,7 @@
        Cross-Origin-Opener-Policy "same-origin"
        
        # Simplified CSP for static content
-        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; base-uri 'self'; form-action 'self'"
+        Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';"
    }

    # Handle 404s