fix: security feature policy

Author: rubiin

docker-compose.yml

@@ -82,29 +82,36 @@ services:
         labels:
             - traefik.enable=true
         labels:
+            - "traefik.enable=true"
             - "traefik.enable=true"
             - "traefik.http.middlewares.traefik-compress.compress=true"
             - "traefik.http.middlewares.traefik-ratelimit.ratelimit.average=100" # Set average rate limit to 100 requests per minute
             - "traefik.http.middlewares.traefik-ratelimit.ratelimit.burst=50" # Set burst rate limit to 50 requests
             - "traefik.http.middlewares.traefik-ratelimit.ratelimit.period=1m" # Set rate limit evaluation period to 1 minute
             - "traefik.http.middlewares.traefik-retry.retry.attempts=4" # Allow up to 4 retry attempts
             - "traefik.http.middlewares.traefik-retry.retry.initialinterval=100ms" # Set initial retry interval to 100 milliseconds
-            - "traefik.http.middlewares.security-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT, POST, DELETE" # Allow specified HTTP methods
-            - "traefik.http.middlewares.security-headers.headers.accesscontrolmaxage=100" # Set value for Access-Control-Max-Age header
-            - "traefik.http.middlewares.security-headers.headers.addvaryheader=true" # Add Vary header to responses
+            # - "traefik.http.middlewares.security-headers.headers.accesscontrolallowmethods=*" # Allow specified HTTP methods
+            # - "traefik.http.middlewares.security-headers.headers.accesscontrolalloworiginlist=*" # Allow specified HTTP methods
+            # - "traefik.http.middlewares.security-headers.headers.accesscontrolmaxage=100" # Set value for Access-Control-Max-Age header
+            # - "traefik.http.middlewares.security-headers.headers.addvaryheader=true" # Add Vary header to responses
+            - "traefik.http.middlewares.security-headers.headers.framedeny=true" # Enable frame denial for clickjacking protection
+            - "traefik.http.middlewares.security-headers.headers.contenttypenosniff=true" # Enable Content-Type nosniff
+            - "traefik.http.middlewares.security-headers.headers.browserxssfilter=false" # Enable browser XSS filter
+            - "traefik.http.middlewares.security-headers.headers.referrerpolicy=no-referrer" # Set Referrer-Policy header
+            - "traefik.http.middlewares.security-headers.headers.permissionsPolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" # Set Feature-Policy header values
+            - "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex" # Set custom response headers
+            - "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-Powered-By=" # Remove X-Powered-By header
+            - "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-Download-Options=noopen" # Add X-Download-Options header
+            - "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-DNS-Prefetch-Control=off" # Add X-DNS-Prefetch-Control header
+            - "traefik.http.middlewares.security-headers.headers.customresponseheaders.Origin-Agent-Cluster=?1" # Add Origin-Agent-Cluster header
+            - "traefik.http.middlewares.security-headers.headers.contentsecuritypolicy=Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
             - "traefik.http.middlewares.security-headers.headers.hostsproxyheaders=X-Forwarded-Host" # Configure proxy headers for X-Forwarded-Host
             - "traefik.http.middlewares.security-headers.headers.sslredirect=true" # Enable HTTPS redirection
             - "traefik.http.middlewares.security-headers.headers.sslproxyheaders.X-Forwarded-Proto=https" # Configure proxy headers for X-Forwarded-Proto
-            - "traefik.http.middlewares.security-headers.headers.stsseconds=63072000" # Set Strict-Transport-Security max-age value
+            - "traefik.http.middlewares.security-headers.headers.stsseconds=15552000" # Set Strict-Transport-Security max-age value
             - "traefik.http.middlewares.security-headers.headers.stsincludesubdomains=true" # Include subdomains in Strict-Transport-Security header
             - "traefik.http.middlewares.security-headers.headers.stspreload=true" # Enable HTTP Strict Transport Security preload list
             - "traefik.http.middlewares.security-headers.headers.forcestsheader=true" # Force Strict-Transport-Security header on all responses
-            - "traefik.http.middlewares.security-headers.headers.framedeny=true" # Enable frame denial for clickjacking protection
-            - "traefik.http.middlewares.security-headers.headers.contenttypenosniff=true" # Enable Content-Type nosniff
-            - "traefik.http.middlewares.security-headers.headers.browserxssfilter=true" # Enable browser XSS filter
-            - "traefik.http.middlewares.security-headers.headers.referrerpolicy=same-origin" # Set Referrer-Policy header
-            - "traefik.http.middlewares.security-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" # Set Feature-Policy header values
-            - "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex" # Set custom response headers
 
         networks:
             - nestify-network