Caddyfile 767 B

1234567891011121314151617181920
  1. {$DOMAIN} {
  2. # TLS — use Let's Encrypt staging for initial testing
  3. tls {$TLS_EMAIL} {
  4. ca https://acme-staging-v02.api.letsencrypt.org/directory
  5. }
  6. # Security headers
  7. header {
  8. Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https://image.tmdb.org; connect-src 'self' wss://{$DOMAIN}; font-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
  9. X-Frame-Options "DENY"
  10. X-Content-Type-Options "nosniff"
  11. Referrer-Policy "strict-origin-when-cross-origin"
  12. Strict-Transport-Security "max-age=86400; includeSubDomains"
  13. Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
  14. -Server
  15. }
  16. # Reverse proxy to Next.js app
  17. reverse_proxy app:3000
  18. }